Results 1 to 7 of 7
  1. #1

    How To: Prevent spoof emails from being sent from your server! (exim only)

    How-To: (exim only) Prevent paypal, ebay spoofs for your server!

    This how-to prevents or at least makes it harder for spoof emails to be sent from your servers. It simply checks if the email is being sent from the localhost and if the reply to address has been set to a know spoof domain.

    ok the work starts here:

    Open the Runtime configuration file for Exim:

    Code:
    vi /usr/exim/configure
    and add

    Code:
    system_filter = /usr/exim/exim.filter
    close the file and now create the exim.filter file

    Code:
    vi /usr/exim/exim.filter
    and paste the following into it

    Code:
    # Exim filter
    
    logfile /var/log/exim_mainlog
    
    if $received_protocol is "local" and
            ($header_from contains "@ebay.com" or
            $header_from contains "@paypal.com")
    then
            logwrite "$tod_log $message_id => Outgoing mail with reply address $header_from caught. Email sent to black hole."
            seen finish
    endif
    This code should work on all systems running exim 4.x and allows alot of room for sophistication. More ideas can spawn off this such as checking for $header_body etc.

    I would love to hear your feed back!

    NOTE: if you wish to duplicate this information please link to dev-central.com.
    Off Topic Web Forum - A forum for talking about anything!!
    N.Z. Webmaster Community - Are you from New Zealand? Well signup to our forum!!!!

  2. #2
    Join Date
    Feb 2003
    Location
    Kuala Lumpur, Malaysia
    Posts
    4,980
    Hm, /usr/exim doesn't even exist?

  3. #3
    Your exim directory is dependant on the installation. Do a "locate exim/bin" to find the exim files.
    Off Topic Web Forum - A forum for talking about anything!!
    N.Z. Webmaster Community - Are you from New Zealand? Well signup to our forum!!!!

  4. #4
    Join Date
    Jul 2003
    Posts
    533
    i thoght exim has an option to only allow loged in users to send emails
    unless you mean that users on the server try to send spoof mails ?

  5. #5

    Thumbs up

    Quote Originally Posted by wheimeng View Post
    Hm, /usr/exim doesn't even exist?
    Old thread, but thought of documenting the solution for cPanel specific configuration because this is a very important configuration for bringing down spam.

    Also added an additional rule to check spoofed email even among authenticated outgoing emails ( because this seems to be a norm these days )

    (root)>grep ^system_filter /etc/exim.conf
    system_filter = /etc/exim.filter
    system_filter_user = cpaneleximfilter
    system_filter_group = cpaneleximfilter
    system_filter_file_transport = address_file

    (root)>cat /etc/exim.filter
    # Exim filter

    logfile /var/log/exim_filterlog

    if ( $received_protocol is "local" or
    $received_protocol is "esmtpa" ) and
    ($sender_address contains "@ebay.com" or
    $sender_address contains "@paypal.com" or
    $sender_address contains "@yahoo.com" or
    $sender_address contains "@aol.com"or
    $sender_address contains "@gmail.com" or
    $sender_address contains "@hotmail.com" or
    $sender_address contains "@msn.com" or
    $sender_address contains "@cox.com" or
    $sender_address contains "aol.com" )
    then
    save /var/cpanel/userhomes/cpaneleximfilter/mail/inbox
    logwrite "$tod_log $message_id => Outgoing mail with reply address $header_from caught. Email sent to black hole."
    seen finish
    endif
    Basically, this is what it does.
    It checks if the email is sent either using
    "local" ( ie, emails send using forms and scripts ) or
    "esmtpa" ( ie, emails sent after autheticating )
    and if it matches either of the 2 conditions, it checks for the from address and if it matches either ( aol, hotmail, etc ), it will block the email and append it to /var/cpanel/userhomes/cpaneleximfilter/mail/inbox

    PS: Please ensure that the file -
    /var/cpanel/userhomes/cpaneleximfilter/mail/inbox and
    /var/log/exim_filterlog
    are created with appropriate ownership and permissions.

    (root)>ls -l /var/log/exim_filterlog /var/cpanel/userhomes/cpaneleximfilter/mail/inbox
    -rw------- 1 cpaneleximfilter cpaneleximfilter 4566414 Jun 16 19:39 /var/cpanel/userhomes/cpaneleximfilter/mail/inbox
    -rw-r----- 1 cpaneleximfilter cpaneleximfilter 46680 Jun 16 19:39 /var/log/exim_filterlog

  6. #6
    Join Date
    Mar 2013
    Posts
    673
    If normal user send mail to gmail using webmail, is it will send to black hole also? I'm newbie.

  7. #7
    Join Date
    Dec 2011
    Posts
    1,460
    Quote Originally Posted by 3FRSB View Post
    If normal user send mail to gmail using webmail, is it will send to black hole also? I'm newbie.
    Well, that certainly explains why you decided that an 11 year old thread needed a new reply.
    "I've seen spam you people wouldn't believe. Routers on fire off the OCs of AGIS. I watched MXes burning in the dark near the Cyberpromo Gateway. All those moments will be lost in time, like tears in rain. TTL=0."

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •