a lot spoofing. remote email are being sent using local envelope

raps

Member
Aug 12, 2020
5
0
1
lesotho
cPanel Access Level
Root Administrator
Received: from tk.ibw.com.ni (localhost [127.0.0.1]) --- look at this something is send this email locally
by tk.ibw.com.ni (Proxmox) with ESMTP id BADC31A8C45
for <[email protected]om>; Tue, 11 Aug 2020 00:43:38 -0600 (CST)
Date: Tue, 11 Aug 2020 03:44:38 -0300
From: "user1" <[email protected]>---this is not user1 email address ---- this is phishing
To: "[email protected]" <[email protected]>
Subject: Fwd:Quote
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="--106277629023481144352531673054508"
Message-Id: <[email protected]>
 
Last edited by a moderator:

cPAdminsMichael

Well-Known Member
Dec 19, 2016
129
40
103
Denmark
cPanel Access Level
Root Administrator
Hi!
We would need a bit more details and clarification than just a mail header.
Can you elaborate more?
If the mail outbound/inbound? Which domains are local to your system? Have you searched for BADC31A8C45 in your exim logs?
 

raps

Member
Aug 12, 2020
5
0
1
lesotho
cPanel Access Level
Root Administrator
What makes you think this is spoofing and not that user sending spam via a compromised script? This appears to be what is happening here.
Hi Lauren we have logged a call with cpanel but the all said this a normal email. thanks Lauren, my thoughts exactly. how do we deal with the compromised cpanel server in this regard
 

raps

Member
Aug 12, 2020
5
0
1
lesotho
cPanel Access Level
Root Administrator
Hi!
We would need a bit more details and clarification than just a mail header.
Can you elaborate more?
If the mail outbound/inbound? Which domains are local to your system? Have you searched for BADC31A8C45 in your exim logs?
Good day Michael

Received: from tk.ibw.com.ni (localhost [127.0.0.1]) -------------------------the local server hostname is cp1.example.com NOT tk.ibw.com.ni


From: "user1" <[email protected]>---------------------------user1 email should be [email protected] NOT [email protected]


This means this email( [email protected]) uses the local resources to send email to user1 on which the body content of the email are the old emails send by User1 with the .doc attachemant

TO: "[email protected]"
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,297
1,251
313
Houston
Well if you're sending email from a script you'd need to identify the specific script that is sending the mail. As you mention you called cPanel's technical support, what is the ticketID number associated with that call?
 

raps

Member
Aug 12, 2020
5
0
1
lesotho
cPanel Access Level
Root Administrator
Well if you're sending email from a script you'd need to identify the specific script that is sending the mail. As you mention you called cPanel's technical support, what is the ticketID number associated with that call?
Well if you're sending email from a script you'd need to identify the specific script that is sending the mail. As you mention you called cPanel's technical support, what is the ticketID number associated with that call?



hi Lauren

This is what we found. How do we stop this.
 

Attachments

cPAdminsMichael

Well-Known Member
Dec 19, 2016
129
40
103
Denmark
cPanel Access Level
Root Administrator
Good day Michael

Received: from tk.ibw.com.ni (localhost [127.0.0.1]) -------------------------the local server hostname is cp1.example.com NOT tk.ibw.com.ni


From: "user1" <[email protected]>---------------------------user1 email should be [email protected] NOT [email protected]


This means this email( [email protected]) uses the local resources to send email to user1 on which the body content of the email are the old emails send by User1 with the .doc attachemant

TO: "[email protected]"
All details in the mail header can relatively easy by spoofed. The mail doesn't neccessarily have to come from your own server - actually I'm confident that it's "just" spam from an external server. You would need to find the mail in exim_main log to see the connecting ip and check up on that.
A quick search shows that fx " tk.ibw.com.ni " is in a few blacklist.. so maybe also activating DNSBL in your Exim Configuration Manager will help.
 

raps

Member
Aug 12, 2020
5
0
1
lesotho
cPanel Access Level
Root Administrator
All details in the mail header can relatively easy by spoofed. The mail doesn't neccessarily have to come from your own server - actually I'm confident that it's "just" spam from an external server. You would need to find the mail in exim_main log to see the connecting ip and check up on that.
A quick search shows that fx " tk.ibw.com.ni " is in a few blacklist.. so maybe also activating DNSBL in your Exim Configuration Manager will help.

Hi Michael

i have activated DNSBL already,