The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Are these spoofed email addresses, or has my server been compromised?

Discussion in 'E-mail Discussions' started by steveluscher, Apr 15, 2006.

  1. steveluscher

    steveluscher Member

    Joined:
    Feb 11, 2006
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    I have very recently started to get emails like the one below every day, about 10 times a day.

    My questions are...

    1) Are these bounce messages the result of someone spoofing my email address remotely, or has my server likely been compromised by a spammer?

    2) Is there any chance that this activity is going to get my domain on some sort of worldwide blacklist?

    3) Is there anything I can do to stop this nonsense?


    Typical bounce message in my inbox follows. I've replaced my actual domain name with 'mydomain.com' in every instance. Please note that our friend "Rosalie Richmond" <ojlakd@mydomain.com> does not exist – she appears to be a spoofed email address.
    Code:
    Return-path: <>
    Envelope-to: mycatchallmailbox@mydomain.com
    Delivery-date: Sat, 15 Apr 2006 06:01:27 -0700
    Received: from myusername by server.mydomain.com with local-bsmtp (Exim 4.52)
    	id 1FUkOy-0003Oe-Ci
    	for mycatchallmailbox@mydomain.com; Sat, 15 Apr 2006 06:01:27 -0700
    X-Spam-Checker-Version: SpamAssassin 3.1.1 (2006-03-10) on 
    	server.mydomain.com
    X-Spam-Level: 
    X-Spam-Status: No, score=-0.2 required=7.0 tests=BAYES_00,FORGED_RCVD_HELO,
    	HTML_50_60,HTML_IMAGE_ONLY_20,HTML_MESSAGE,NO_REAL_NAME autolearn=no 
    	version=3.1.1
    Received: from [63.118.88.99] (helo=MAILBOX.tca.us)
    	by server.mydomain.com with esmtp (Exim 4.52)
    	id 1FUkOx-0003OW-KZ
    	for ojlakd@mydomain.com; Sat, 15 Apr 2006 06:01:24 -0700
    From: postmaster@tca-us.com
    To: ojlakd@mydomain.com
    Date: Sat, 15 Apr 2006 09:04:02 -0400
    MIME-Version: 1.0
    Content-Type: multipart/report; report-type=delivery-status;
    	boundary="9B095B5ADSN=_01C6605BB7F7EAAA00005851MAILBOX.tca.us"
    X-DSNContext: 335a7efd - 4523 - 00000001 - 80040546
    Message-ID: <pEBtKarvz000021fa@MAILBOX.tca.us>
    Subject: Delivery Status Notification (Failure)
    
    This is a MIME-formatted message.  
    Portions of this message may be unreadable without a MIME-capable mail program.
    
    --9B095B5ADSN=_01C6605BB7F7EAAA00005851MAILBOX.tca.us
    Content-Type: text/plain; charset=unicode-1-1-utf-7
    
    This is an automatically generated Delivery Status Notification.
    
    Delivery to the following recipients failed.
    
           mjbailey@tca-us.com
    
    
    
    
    --9B095B5ADSN=_01C6605BB7F7EAAA00005851MAILBOX.tca.us
    Content-Type: message/delivery-status
    
    Reporting-MTA: dns;MAILBOX.tca.us
    Received-From-MTA: dns;camfw
    Arrival-Date: Sat, 15 Apr 2006 09:04:02 -0400
    
    Final-Recipient: rfc822;mjbailey@tca-us.com
    Action: failed
    Status: 5.1.1
    
    --9B095B5ADSN=_01C6605BB7F7EAAA00005851MAILBOX.tca.us
    Content-Type: message/rfc822
    
    Received: from camfw ([192.168.13.1]) by MAILBOX.tca.us with Microsoft SMTPSVC(6.0.3790.1830);
    	 Sat, 15 Apr 2006 09:04:02 -0400
    Received: (qmail 27081 invoked from network); Sat, 15 Apr 2006 16:01:02 +0300
    Received: from unknown (HELO bitp.jipl) (81.213.239.135)
    	by dsl.dynamic8121313810.ttnet.net.tr with SMTP; Sat, 15 Apr 2006 16:01:02 +0300
    Message-ID: <000601c6608c$a65739e1$87efd551@bitp.jipl>
    From: "Rosalie Richmond" <ojlakd@mydomain.com>
    To: "Helen Wallace" <mjbailey@tca-us.com>
    Subject: latter
    Date: Sat, 15 Apr 2006 15:53:57 +0300
    MIME-Version: 1.0
    Content-Type: multipart/related;
    	type="multipart/alternative";
    	boundary="----=_NextPart_000_0002_01C660A5.CBA471AD"
    X-Priority: 3
    X-MSMail-Priority: Normal
    X-Mailer: Microsoft Outlook Express 6.00.2900.2180
    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
    Return-Path: ojlakd@mydomain.com
    X-OriginalArrivalTime: 15 Apr 2006 13:04:02.0828 (UTC) FILETIME=[119524C0:01C6608D]
    
    {insert junk email here}
     
  2. Lyttek

    Lyttek Well-Known Member

    Joined:
    Jan 2, 2004
    Messages:
    770
    Likes Received:
    3
    Trophy Points:
    18
    Don't use the 'catch-all' feature, and set the default action for non-existent addresses to :fail: as opposed to :blackhole: or other...
     
  3. steveluscher

    steveluscher Member

    Joined:
    Feb 11, 2006
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    Yeah, that's not an option. I use catch-all extensively for routing and other things, and it's never been a problem until now – when I started getting all these bogus bounce emails.

    My above questions still stand. Anyone?
     
  4. fuzzie

    fuzzie Well-Known Member

    Joined:
    Oct 12, 2002
    Messages:
    131
    Likes Received:
    0
    Trophy Points:
    16
    Over the past week, I have been seeing a huge amount of these messages compared to before. Disabling catchall is not an option for me either. How do I check to see if they are real or spoofed?
     
  5. jung445

    jung445 Registered

    Joined:
    Apr 17, 2006
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    email filter not working correctly

    Yes, I've had the same problem the last 3 days - getting about 30 of these messages a day. Disabling catchall is also not an option for me.

    I have set several mail filters in cPanel for 'header from' contains 'postmaster' , 'mail delivery' etc and for 'header subject' contains 'failure', 'delivery status notification' etc etc according to the various messages that keep coming in. (I've used the correct syntax, upper/lower case etc, just not typed it all here). But the filtering doesn't work properly and the junk keeps coming:

    1 When I test the filtering by sending messages to a false address on my domain and include the filter words in the subject, the messages get filtered properly.

    2 When I copy and paste one of the spam messages into the test box on the cPanel mail filtering page, the result says that the messages are caught and will not be delivered, and indeed they don't arrive. (The test result says they will be delivered to the special mailbox I set up for the filtering, but they don't go there either!)

    3 The real messages still keep on coming! They are not getting filtered despite the fact that the test results inidcate the filtering is set up properly.

    Does anybody have any idea what's going on and how to fix this?
     
  6. steveluscher

    steveluscher Member

    Joined:
    Feb 11, 2006
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    SPF Records the key?

    If I analyse my domain with the tool at http://www.dnsreport.com, I get the following message regarding my domain's lack of an SPF record:

    This pretty much describes the problem of people sending malicious email as though it was coming from my server. Are SPF records the key, and if so – how should I go about properly installing SPF records with my cPanel VPS? The instructions at http://www.openspf.org/ are sort of Greek to me.

    Tutorial anyone? Script?
     
  7. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    If you are interested in implementing SPF, then you can either add SPF records in the DNS zone, or in exim itself. There are instructions off of the SPF Web site for exim. having said that, be warned that your clients might lose legitimate email if you integrate SPF into exim. SPF is not the answer and it does nothing at all about SPAM. For more info about SPF, go to: http://www.openspf.org/downloads.html Good luck!
     
  8. steveluscher

    steveluscher Member

    Joined:
    Feb 11, 2006
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    So basically, from what I've been reading, the answers are:

    1) No, the email is not originating from your server; your server is secure
    2) No, there's nothing you can do about people spoofing your domain, other than wait it out or stack filters on top of filters to try to quiet it down.

    Is that about it?
     
  9. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Yes to both, unfortunately. You basically have to ride it out and filters are probably your only option if you cannot setup aliases for the addresses you use and disable the account catchall.
     
  10. jung445

    jung445 Registered

    Joined:
    Apr 17, 2006
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    But please see my message 5 posts up on this thread. Filters aren't working. Since I posted that message I've had about 80 more bounced messages that should have gotten caught in the filters I've set up. And not a single message *has* been caught by those filters except the test messages I've sent myself by e-mail and from the test panel on the filter setup page. I've attached a screenshot of my filters, so you can see they should work.

    Can anybody explain why all these messages aren't being filtered?

    Thanks
    J
     

    Attached Files:

  11. hostultra

    hostultra Well-Known Member

    Joined:
    Aug 21, 2002
    Messages:
    167
    Likes Received:
    0
    Trophy Points:
    16
    The filter is not working because cpanel sets all filters to be bypassed for error/bounce messages.

    You have to SSH to your server as root and edit the file
    /etc/vfilters/yourdomain.com

    and remove this line:
    if error_message then finish endif
     
  12. jung445

    jung445 Registered

    Joined:
    Apr 17, 2006
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Thanks, that's a helpful reply.

    I'm not authorised for SSH access, but I've written to my hosting provider and asked them to do the edit for me.

    J
     
Loading...

Share This Page