TheCrimsonHorror

We all know that Spam is fucking annoying, That being the case, when a user is compromized, either in a web script, or a hacked/cracked/socially engineered password, the spammers most likely avenue is to Spoof a random email address from the same domain or spoof something completely different. 

Here is how I had learned to combat this, by preventing my servers from sending outgoing spoofed mail, I know that I'm ensure that my domains are not part of the problem. 

By taking advantage of the EXIM Configuration Editor, we can effectively stop outgoing spoofing. 

I. Blocking all un-authenticated spoofed outbound emails

1. Login to WHM >> EXIM CONFIGURATION MANAGER >> ADVANCED EDITOR

2. Add the following entry in the top using Add additional configuration setting:
domainlist remote_domains = lsearch;/etc/remotedomains

 
3. Add the following code under acl_not_smtp >> custom_begin_outgoing_notsmtp_checkall:

deny
condition = ${if ! match_domain{${domain:${address:$h_From:}}}{ +local_domains : +remote_domains}}
message = Sorry, you don't have \
permission to send email from this server with a header that \
states the email is from ${lc:${domain:${address:$h_from:}}}.
accept

 
Here, the ACL will check for the presence of domain name part of the from address in either of the files – /etc/localdomains or /etc/remotedomains. If there is a mismatch, server will reject the email.

II. Blocking all authenticated spoofed outbound emails

1. WHM >> EXIM CONFIGURATION MANAGER >> ADVANCED EXIM EDITOR

2. Search for acl_smtp_data >> custom_begin_outgoing_smtp_checkall and add the following lines under it:

deny
authenticated = *
condition = ${if or {{ !eqi{$authenticated_id} {$sender_address} } \
{ !eqi{$authenticated_id} {${address:$header_From:}} } \
} \
}
message = Your FROM address ( $sender_address , $header_From ) 
must match your authenticated email user ( $authenticated_id ).
Treating this as a spoofed email.

 
Here, for all authenticated users, the rule will check whether the authenticated userid matches with the from address. If it matches, it will allow the email. Else, it will display the message “Your FROM must match your authenticated email user. Treating this as spoofed email”

PS: If the acl_smtp_data is mentioned as something else(like acl_smtp_data = check_message), locate check_message and add the above lines just under it.

IMPORTANT points to keep in mind

a. POP before SMTP won’t work with this setting. You will have to ask your customers to use the option – “My Server Requires Authentication” in the SMTP settings of their email client.
b. Username in the format user+domain.com will not work. They have to use user@domain.com instead.

These solutions have been tested on my personal cPanel server, and in a limited set of production servers. We have found it to be working in 100% of cases. However, using the above solution should be at your own risk. If you do not understand the ACLs posted above, always ask for expert opinion.