Spam from local user delivered without authentication

[carock]

One of my users forwarded me a spam message they received. It was sent to them with the From address of their mailbox.

Checking Exim logs shows the message was submitted from a foreign IP address and accepted without error.

I also did some testing with several user accounts and a two cPanel servers. Both accepted and delivered a message from an unknown IP as long as the From address was the same as the destination address which is a local mailbox.

I was also able to use two different cPanel accounts on the same server to send mail to each other without authentication from a foreign IP.

i.e. message From: user@firstdomain To: user@seconddomain with both domains hosted on the same server and different accounts.

Is this expected behavior, or have I made mistake with my configuration?

Thanks,
Chuck

 

[mtindor]

It's expected behavior, and most mail systems will allow that to happen. On some mail systems you can disable receiving emails from an external source if the FROM domain is the same as the TO domain unless the email is authenticated. But even in those cases where a mail server allows you to do that, most admins don't turn that on -- as there are plenty of reasons why a legitimate email from an external IP with the same FROM/TO domains can be legit and wanted behavior without authentication.

Ex: [email protected] is a local email account on a cPanel server. I set up [email protected] mail to forward to my Gmail account (because setting up Gmail to POP my [email protected] is frought with problems where Gmail falsely tags that POP'd mail as spam when it is legit). Then I set up my Gmail account so that it is able to send emails out as [email protected]. And oftentimes I'll want messages to be CC'd to myself, or will send emails (from Gmail) as [email protected] to [email protected] and I want it to go to the cPanel mailbox. This is just an example. I don't own the miketindor.com domain so I don't care about referencing it. And in reality, even though I do this very thing on a regular basis, I always set my Gmail up so that it actually authenticates into my cPanel server as [email protected] when sending those mails. I don't have to do it that way, but I choose to do it that way. Anyway, that's one reason why mailservers don't typically have a setting to block mail from an external IP with FROM/TO addresses in the same domain.

This is why, in this day and age, you/your clients want to make sure they have a publicized SPF record (a very strict one with -all at the end), DKIM authentication, and a strict DMARC record that quarantines or rejects 100% of emails that fail both DKIM and SPF (or, even better, fail DKIM or SPF).

Then again, in SpamAssassin the default score penalty for failing SPF or DKIM or DMARC isn't always enough all by itself to cause a bad message from an external IP with the same FROM/TO domain to be scored high enough to trigger anything. But you can adjust spamassassin scores.

Aside from webmail services with ton of money to create their own spam filtering systems (Gmail / Yahoo / etc) or large ISPs who might do the same (AOL, etc), most mail systems only do a so-so job at really protecting your mail without third-party spam filtering being used. Ya know, something like Proofpoint, Barracuda, Mimecast, Spamexperts N-Able, etc.

Mike

 

[carock]

Thanks Mike. I've been doing the cPanel hosting for a while, I just don't remember coming across this before (old age). I was worried I had missed a configuration option and my server was allowing relaying that I didn't want.

I can live with it if that's just how it works.

Thanks,
Chuck