Are these spoofed email addresses, or has my server been compromised?

[steveluscher]

I have very recently started to get emails like the one below every day, about 10 times a day.

My questions are...

1) Are these bounce messages the result of someone spoofing my email address remotely, or has my server likely been compromised by a spammer?

2) Is there any chance that this activity is going to get my domain on some sort of worldwide blacklist?

3) Is there anything I can do to stop this nonsense?

Typical bounce message in my inbox follows. I've replaced my actual domain name with 'mydomain.com' in every instance. Please note that our friend "Rosalie Richmond" <ojlakd@mydomain.com> does not exist – she appears to be a spoofed email address.

Code:

Return-path: <>
Envelope-to: mycatchallmailbox@mydomain.com
Delivery-date: Sat, 15 Apr 2006 06:01:27 -0700
Received: from myusername by server.mydomain.com with local-bsmtp (Exim 4.52)
	id 1FUkOy-0003Oe-Ci
	for mycatchallmailbox@mydomain.com; Sat, 15 Apr 2006 06:01:27 -0700
X-Spam-Checker-Version: SpamAssassin 3.1.1 (2006-03-10) on 
	server.mydomain.com
X-Spam-Level: 
X-Spam-Status: No, score=-0.2 required=7.0 tests=BAYES_00,FORGED_RCVD_HELO,
	HTML_50_60,HTML_IMAGE_ONLY_20,HTML_MESSAGE,NO_REAL_NAME autolearn=no 
	version=3.1.1
Received: from [63.118.88.99] (helo=MAILBOX.tca.us)
	by server.mydomain.com with esmtp (Exim 4.52)
	id 1FUkOx-0003OW-KZ
	for ojlakd@mydomain.com; Sat, 15 Apr 2006 06:01:24 -0700
From: postmaster@tca-us.com
To: ojlakd@mydomain.com
Date: Sat, 15 Apr 2006 09:04:02 -0400
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
	boundary="9B095B5ADSN=_01C6605BB7F7EAAA00005851MAILBOX.tca.us"
X-DSNContext: 335a7efd - 4523 - 00000001 - 80040546
Message-ID: <pEBtKarvz000021fa@MAILBOX.tca.us>
Subject: Delivery Status Notification (Failure)

This is a MIME-formatted message.  
Portions of this message may be unreadable without a MIME-capable mail program.

--9B095B5ADSN=_01C6605BB7F7EAAA00005851MAILBOX.tca.us
Content-Type: text/plain; charset=unicode-1-1-utf-7

This is an automatically generated Delivery Status Notification.

Delivery to the following recipients failed.

       mjbailey@tca-us.com




--9B095B5ADSN=_01C6605BB7F7EAAA00005851MAILBOX.tca.us
Content-Type: message/delivery-status

Reporting-MTA: dns;MAILBOX.tca.us
Received-From-MTA: dns;camfw
Arrival-Date: Sat, 15 Apr 2006 09:04:02 -0400

Final-Recipient: rfc822;mjbailey@tca-us.com
Action: failed
Status: 5.1.1

--9B095B5ADSN=_01C6605BB7F7EAAA00005851MAILBOX.tca.us
Content-Type: message/rfc822

Received: from camfw ([192.168.13.1]) by MAILBOX.tca.us with Microsoft SMTPSVC(6.0.3790.1830);
	 Sat, 15 Apr 2006 09:04:02 -0400
Received: (qmail 27081 invoked from network); Sat, 15 Apr 2006 16:01:02 +0300
Received: from unknown (HELO bitp.jipl) (81.213.239.135)
	by dsl.dynamic8121313810.ttnet.net.tr with SMTP; Sat, 15 Apr 2006 16:01:02 +0300
Message-ID: <000601c6608c$a65739e1$87efd551@bitp.jipl>
From: "Rosalie Richmond" <ojlakd@mydomain.com>
To: "Helen Wallace" <mjbailey@tca-us.com>
Subject: latter
Date: Sat, 15 Apr 2006 15:53:57 +0300
MIME-Version: 1.0
Content-Type: multipart/related;
	type="multipart/alternative";
	boundary="----=_NextPart_000_0002_01C660A5.CBA471AD"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
Return-Path: ojlakd@mydomain.com
X-OriginalArrivalTime: 15 Apr 2006 13:04:02.0828 (UTC) FILETIME=[119524C0:01C6608D]

{insert junk email here}

[Lyttek]

Don't use the 'catch-all' feature, and set the default action for non-existent addresses to :fail: as opposed to :blackhole: or other...

[steveluscher]

Don't use the 'catch-all' feature

Yeah, that's not an option. I use catch-all extensively for routing and other things, and it's never been a problem until now – when I started getting all these bogus bounce emails.

My above questions still stand. Anyone?

[fuzzie]

Over the past week, I have been seeing a huge amount of these messages compared to before. Disabling catchall is not an option for me either. How do I check to see if they are real or spoofed?

[jung445]

Yes, I've had the same problem the last 3 days - getting about 30 of these messages a day. Disabling catchall is also not an option for me.

I have set several mail filters in cPanel for 'header from' contains 'postmaster' , 'mail delivery' etc and for 'header subject' contains 'failure', 'delivery status notification' etc etc according to the various messages that keep coming in. (I've used the correct syntax, upper/lower case etc, just not typed it all here). But the filtering doesn't work properly and the junk keeps coming:

1 When I test the filtering by sending messages to a false address on my domain and include the filter words in the subject, the messages get filtered properly.

2 When I copy and paste one of the spam messages into the test box on the cPanel mail filtering page, the result says that the messages are caught and will not be delivered, and indeed they don't arrive. (The test result says they will be delivered to the special mailbox I set up for the filtering, but they don't go there either!)

3 The real messages still keep on coming! They are not getting filtered despite the fact that the test results inidcate the filtering is set up properly.

Does anybody have any idea what's going on and how to fix this?

[steveluscher]

If I analyse my domain with the tool at http://www.dnsreport.com, I get the following message regarding my domain's lack of an SPF record:

Your domain does not have an SPF record. This means that spammers can easily send out E-mail that looks like it came from your domain, which can make your domain look bad (if the recipient thinks you really sent it), and can cost you money (when people complain to you, rather than the spammer). You may want to add an SPF record ASAP, as 01 Oct 2004 was the target date for domains to have SPF records in place (Hotmail, for example, started checking SPF records on 01 Oct 2004).

This pretty much describes the problem of people sending malicious email as though it was coming from my server. Are SPF records the key, and if so – how should I go about properly installing SPF records with my cPanel VPS? The instructions at http://www.openspf.org/ are sort of Greek to me.

Tutorial anyone? Script?

[AndyReed]

If I analyse my domain with the tool at http://www.dnsreport.com, I get the following message regarding my domain's lack of an SPF record:

This pretty much describes the problem of people sending malicious email as though it was coming from my server. Are SPF records the key, and if so – how should I go about properly installing SPF records with my cPanel VPS? The instructions at http://www.openspf.org/ are sort of Greek to me.

If you are interested in implementing SPF, then you can either add SPF records in the DNS zone, or in exim itself. There are instructions off of the SPF Web site for exim. having said that, be warned that your clients might lose legitimate email if you integrate SPF into exim. SPF is not the answer and it does nothing at all about SPAM. For more info about SPF, go to: http://www.openspf.org/downloads.html Good luck!

[steveluscher]

SPF is not the answer

So basically, from what I've been reading, the answers are:

1) No, the email is not originating from your server; your server is secure
2) No, there's nothing you can do about people spoofing your domain, other than wait it out or stack filters on top of filters to try to quiet it down.

Is that about it?

[chirpy]

Yes to both, unfortunately. You basically have to ride it out and filters are probably your only option if you cannot setup aliases for the addresses you use and disable the account catchall.

[jung445]

filters are probably your only option if you cannot setup aliases for the addresses you use and disable the account catchall.

But please see my message 5 posts up on this thread. Filters aren't working. Since I posted that message I've had about 80 more bounced messages that should have gotten caught in the filters I've set up. And not a single message *has* been caught by those filters except the test messages I've sent myself by e-mail and from the test panel on the filter setup page. I've attached a screenshot of my filters, so you can see they should work.

Can anybody explain why all these messages aren't being filtered?

Thanks
J

[hostultra]

The filter is not working because cpanel sets all filters to be bypassed for error/bounce messages.

You have to SSH to your server as root and edit the file
/etc/vfilters/yourdomain.com

and remove this line:
if error_message then finish endif

[jung445]

Thanks, that's a helpful reply.

I'm not authorised for SSH access, but I've written to my hosting provider and asked them to do the edit for me.

J