Knowledgebase

SPAM with my email address in From:

Posted by bloodyman, 02-17-2012, 07:45 PM
Hi, Last days I'm reciveing many spam emails with spoofed my email address. Headers of such messages (my email address was changed to user@MY-DOMAIN.COM and my domain was changed to MY-DOMAIN.COM): I've tried such ACLs, but they does not stop it: ACL-1: ACL-2 Do you have any idea what else I can try?

Posted by cb-ikt, 02-18-2012, 12:39 AM
Define your localdomains Then, use this ACL

Posted by bloodyman, 02-18-2012, 05:40 PM
Hi Thanks for sharing. But your solution does not help. My exim logs shows return-path address as delivery from, but in my outlook I see From: as email source. And this From is not filtered.

Posted by cb-ikt, 02-18-2012, 05:43 PM
That's strange. I took that configuration from a running server. Where exactly did you put the acl?

Posted by bloodyman, 02-19-2012, 08:49 PM
Hi I've put what you suggested. It does not expand my domains from "From:" header. I use "domainlist lsearch" for /etc/localdomains instead of "domainlist localdomains = my-domain.com : my-domain.net"

Posted by fomin, 02-23-2012, 08:49 AM
Same problem, any ideas?

Posted by xtrac568, 02-23-2012, 09:41 AM
h_from is supposed to match From: in headers, the same From: you see in Outlook, so that is what Exim ACL is supposed to filter. Another option is to setup SPF with "-all" for your domain, and then reject/junk any mail in SpamAssassin with SPF hard fail.

Posted by bloodyman, 02-23-2012, 02:08 PM
This is very verid. As you can see in copy of email I've posted, there is my email address in From: From: but those ACL Rules does not filter them. And SPAM is not send from my server, it is send from open relay hacked server I think.

Posted by EclipzeComputing, 02-23-2012, 05:19 PM
Set up SPF, your (and others') e-mail server won't accept e-mail from your domain unless it originates from the host you list in the SPF record. You should also enable authentication for all relays including local domains.

Posted by bloodyman, 02-23-2012, 07:03 PM
SPF is not a solution, because it is not a standard and not many hosts use SPF. I have authentication enabled for local domains and I do not allow for relayhosts. Those email have different Reply-Path which I see in exim_mainlog as source of email, but when I view this email in Outlook - I see my email address as it exist in From header.

Posted by EclipzeComputing, 02-23-2012, 11:26 PM
Actually, a survey as old as 2009 showed that 51% of domains did in fact use SPF, including several of the larger firms (Gmail, AOL). There is an experimental stage RFC (4408) that has been in widespread use since 2006. You can either use the type 99 SPF record or the older TXT record method, though the TXT method will probably be phased out eventually. It doesn't matter whether anybody else is using it, since the e-mail is being spoofed from your own domain, telling your server to junk mail with a hard SPF fail *will* solve your problem if you set up the record with The return-path and from headers are used for two very different things, your e-mail client is behaving as expected.

Posted by RomanVelcom, 02-28-2012, 04:30 PM
Огыt setup SPF for your domain for prevent this Its easy

Posted by johnnyb0y, 03-03-2012, 04:30 AM
Are you using Joomla or ZenPhoto? I came across this issue twice this week. Look in the web root for file with obscure names. It may look like a google-analytics verification file.

Posted by bloodyman, 03-03-2012, 04:54 AM
It is not connected with Joomla or ZenPhoto. I recive those messages from outside hosts, but they are identified by Exim as email address put in Return-Path, but in outlook I see email address put in From: which is my address. I appreciate your sugestions to implement SPF, but I would like a solution to catch this with ACL section of exim.conf.

Posted by DewlanceHosting, 03-03-2012, 07:19 AM
1. Are you using a any billing script or client area script like WHMCS,Blesta,etc? 2. Are you sure that your email password is secured?(or hacker know your password) - Ban this spammer IP Address Received: from [188.92.9.66]

Posted by bloodyman, 03-03-2012, 01:10 PM
This is not from my server: Received: from [188.92.9.66] by MY_HOSTNAME with esmtp (Exim 4.69) (envelope-from ) id 1RyTb1-0001eW-Ca for user@MY-DOMAIN.COM; Fri, 17 Feb 2012 11:11:55 +0100 Received: from apache by MY-DOMAIN.COM with local (Exim 4.63) As you can see 188.92.9.66 recived it from user apache (I don't have such user) and Exim on 188.92.9.66 is 4.63 - on mine is 4.69 (cPanel 11.30). I'm sure this came from outside of my server. In exim_mainlog I see that it came form: Return-path: but in Outlook I see my email address as From: and To:

Posted by RomanVelcom, 03-04-2012, 03:50 AM
Hi, Did u have SPF for your domain setuped?

Posted by bloodyman, 03-04-2012, 01:33 PM
I said no because I want to find a solution where SPF will not be needed. I would like to know if someone successfuly make any ACL to stop this?



Was this answer helpful?

Add to Favourites Add to Favourites

Print this Article Print this Article

Also Read
CrytalTech DDOS? (Views: 498)
ev1 down? (Views: 571)
What the $#@! (Views: 456)
Upgrade to MySQL 5.1? (Views: 465)


Language:

Client Login

Email

Password

Remember Me

Search