a lot spoofing. remote email are being sent using local envelope

[raps]

Received: from tk.ibw.com.ni (localhost [127.0.0.1]) --- look at this something is send this email locally
by tk.ibw.com.ni (Proxmox) with ESMTP id BADC31A8C45
for <[email protected]>; Tue, 11 Aug 2020 00:43:38 -0600 (CST)
Date: Tue, 11 Aug 2020 03:44:38 -0300
From: "user1" <[email protected]>---this is not user1 email address ---- this is phishing
To: "[email protected]" <[email protected]>
Subject: Fwd:Quote
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="--106277629023481144352531673054508"
Message-Id: <[email protected]>

 

[cPAdminsMichael]

Hi!
We would need a bit more details and clarification than just a mail header.
Can you elaborate more?
If the mail outbound/inbound? Which domains are local to your system? Have you searched for BADC31A8C45 in your exim logs?

 

[cPanelLauren]

What makes you think this is spoofing and not that user sending spam via a compromised script? This appears to be what is happening here.

 

[raps]

What makes you think this is spoofing and not that user sending spam via a compromised script? This appears to be what is happening here.

Hi Lauren we have logged a call with cpanel but the all said this a normal email. thanks Lauren, my thoughts exactly. how do we deal with the compromised cpanel server in this regard

 

[raps]

Hi!
We would need a bit more details and clarification than just a mail header.
Can you elaborate more?
If the mail outbound/inbound? Which domains are local to your system? Have you searched for BADC31A8C45 in your exim logs?

Good day Michael

Received: from tk.ibw.com.ni (localhost [127.0.0.1]) -------------------------the local server hostname is cp1.example.com NOT tk.ibw.com.ni


From: "user1" <[email protected]>---------------------------user1 email should be [email protected] NOT [email protected]


This means this email( [email protected]) uses the local resources to send email to user1 on which the body content of the email are the old emails send by User1 with the .doc attachemant

TO: "[email protected]"

 

[cPanelLauren]

Well if you're sending email from a script you'd need to identify the specific script that is sending the mail. As you mention you called cPanel's technical support, what is the ticketID number associated with that call?

 

[raps]

Well if you're sending email from a script you'd need to identify the specific script that is sending the mail. As you mention you called cPanel's technical support, what is the ticketID number associated with that call?

Well if you're sending email from a script you'd need to identify the specific script that is sending the mail. As you mention you called cPanel's technical support, what is the ticketID number associated with that call?

hi Lauren

This is what we found. How do we stop this.

 

[cPAdminsMichael]

Good day Michael

Received: from tk.ibw.com.ni (localhost [127.0.0.1]) -------------------------the local server hostname is cp1.example.com NOT tk.ibw.com.ni


From: "user1" <[email protected]>---------------------------user1 email should be [email protected] NOT [email protected]


This means this email( [email protected]) uses the local resources to send email to user1 on which the body content of the email are the old emails send by User1 with the .doc attachemant

TO: "[email protected]"

All details in the mail header can relatively easy by spoofed. The mail doesn't neccessarily have to come from your own server - actually I'm confident that it's "just" spam from an external server. You would need to find the mail in exim_main log to see the connecting ip and check up on that.
A quick search shows that fx " tk.ibw.com.ni " is in a few blacklist.. so maybe also activating DNSBL in your Exim Configuration Manager will help.

 

[raps]

All details in the mail header can relatively easy by spoofed. The mail doesn't neccessarily have to come from your own server - actually I'm confident that it's "just" spam from an external server. You would need to find the mail in exim_main log to see the connecting ip and check up on that.
A quick search shows that fx " tk.ibw.com.ni " is in a few blacklist.. so maybe also activating DNSBL in your Exim Configuration Manager will help.

Hi Michael

i have activated DNSBL already,

 

[loyalcom]

same problem my server also. lots of mail received using country domain include .doc virus file.