The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Email being sent form accounts on server which do not exist

Discussion in 'E-mail Discussions' started by ukdeveloper, Apr 21, 2014.

  1. ukdeveloper

    ukdeveloper Member

    Joined:
    May 6, 2007
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    I am getting 100s of failure notices and undeliverable email receipts for account which don't exists on my server.

    I have gone through as many hardening and email lockdown tutorials as i can find (and understand) but really don't know where to go from here. My server IP reputation is also suffering due to this spam being sent out.

    Any Ideas on how i can check to see how this mail being sent is being generated as its from accounts which don't exist.

    For example:

    hyyehed@mydomain.com

    hweiuhw@mydomain.com

    Im not sure if its safe to post actual domains/ip addresses here so here is an email i received with the identifying bits asterixed out.

    Please could someone give me some pointers in trying to find out where this is coming from.



    -------------------

    Code:
    Received: from static-71-27-63-95.ipcom.comunitel.net (95.63.xx.xx) by
     actionsrv05.action.local (192.168.2.5) with Microsoft SMTP Server id
     8.3.342.0; Mon, 21 Apr 2014 16:49:08 -0400
    Pool-Debug: iw108 value
    Pool-Name: default_value
    x-sieve: enabled
    Pool-Version: 2
    Received: from [10.0.xx.xx] ([10.0.xx.xx:1396]
     helo=static-71-27-63-95.ipcom.domain.net)	by F590DEA73 (envelope-from
     <scan@**********.com>)	(ecelerity 3.5.1.37854 r(Momo-dev:3.5.1.0)) with
     ESMTP	id 7F/8D-0FD47-BBD1D831; Mon, 21 Apr 2014 22:49:16 +0200
    Date: Mon, 21 Apr 2014 22:49:06 +0200
    From: Wall St Report <scan@***********.com>
    Sender: <scan@*********.com>
    To: <scan@domain.com>
    Message-ID: <1324203152.7293763856393340930.JavaMail.root@static-71-27-63-95.ipcom.domain.net>
    Subject: This Easter Stock Will Triple
    Errors-To: scan@**********.com
    MIME-Version: 1.0
    Content-Type: multipart/alternative;
    	boundary="----=_Part_56715_3024612586.6764116304127"
    X-MailSentId: 15385
    X-campaignid: infusion_iw0186
    BatchId: 589032
    X-BatchId: 589032
    List-Unsubscribe: <https://**********.com/app/optOut/noConfirm/111299674/faf97c73e48fdc404d2>
    Return-Path: [email]scan@**********.com[/email]
    X-GFI-SMTP-Submission: 1
    X-GFI-SMTP-Submission: 1
    X-GFI-SMTP-HelloDomain: static-71-27-63-95.ipcom.comunitel.net
    X-GFI-SMTP-RemoteIP: 95.63.27.71
    ----------------------------------------------------------

    Code:
    This report relates to a message you sent with the following header fields:
    
      Message-id: <MDU2OTg0QkUwOQ==A76540CAC42FBD5076@mail.tameen.ae>
      Date: Tue, 15 Apr 2014 13:51:33 +0300
      From: StockExclusive <chethank@********.com>
      To: chethank <chethank@tameen.ae>
      Subject: (RCHA) Back On Our Radar Right Now!
    
    Your message has been enqueued and undeliverable for 4 days
    to the following recipients:
    
      Recipient address:chethank@domain.ae
      Reason: unable to deliver this message after 4 days
    
    The mail system will continue to try to deliver your message
    for an additional 6 days.
    
    Return-path: <chethank@********.com>
    Received: from tcp_ae-daemon.aimail3.domain.net.ae by aimail3.domain.net.ae
    (I&ES Mail Server 4.2) id <0N4A006J0RPVNCZJ@aimail3.domain.net.ae>; Sun,
    20 Apr 2014 01:29:55 +0400 (GST)
    Received: from [89.122.xx.xx] by aimail3.domain.net.ae
    (I&ES Mail Server 4.2)
    with ESMTP id <0N4200DF9JHT38F0@aimail3.domain.net.ae> for
    chethank@domain.ae; Tue, 15 Apr 2014 14:51:31 +0400 (GST)
    Date: Tue, 15 Apr 2014 13:51:33 +0300
    From: StockExclusive <chethank@***********.com>
    Subject: (RCHA) Back On Our Radar Right Now!
    To: chethank <chethank@domain.ae>
    Message-id: <MDU2OTg0QkUwOQ==A76540CAC42FBD5076@mail.tameen.ae>
    MIME-version: 1.0
    Content-type: TEXT/PLAIN
    Content-transfer-encoding: QUOTED-PRINTABLE
    Delivered-to: chethank@domain.ae
    --------------------------------------------------------------

    the *********** relates to MY domain. the email addresses do NOT exist.

    Thanks for any help on this in advance.


    UKD.
    PS mail queues very low (currently 4) but seeing a lot of bounces...
     
  2. vanessa

    vanessa Well-Known Member
    PartnerNOC

    Joined:
    Sep 26, 2006
    Messages:
    817
    Likes Received:
    22
    Trophy Points:
    18
    Location:
    Virginia Beach, VA
    cPanel Access Level:
    DataCenter Provider
    Those emails....don't look like they were sent from an Exim server. Maybe you're just the victim of spoofing. Do you see records of them in your mail logs?
     
  3. ukdeveloper

    ukdeveloper Member

    Joined:
    May 6, 2007
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Hi thanks so much for your reply. Im really thick when it comes to this stuff...

    Just this morning I have received this:

    ---------------------------------
    Code:
    Generating server: Metropolitan-Newyork.com
    
    435_miz-a@jnco.com
    #550 5.1.1 RESOLVER.ADR.RecipNotFound; not found ##
    
    Original message headers:
    
    Received: from host81-155-159-223.range81-155.btcentralplus.com
    (81.132.236.173) by Metromail.Metropolitan-Newyork.com (216.127.125.130) with
    Microsoft SMTP Server id 8.1.436.0; Tue, 22 Apr 2014 00:03:37 -0700
    From: Hyde Marcus <435_miz-a@********hosting.com>
    Content-Type: multipart/alternative;
    boundary="Apple-Mail=_168B19B8-662B-3E1F-434B-B9D86EBF3044"
    X-Smtp-Server: smtp.jnco.com:435_miz-a@jnco.com
    Subject: Happy Easter + Trading Tip
    Message-ID: <218C82BC-A7F0-E5A3-F198-306203848C87@jnco.com>
    X-Universally-Unique-Identifier: 481B8464-A3AC-5F51-805B-3BFD5C5B15C5
    Date: Tue, 22 Apr 2014 08:16:08 +0100
    To: 435_miz-a <435_miz-a@jnco.com>
    MIME-Version: 1.0 (Mac OS X Mail 7.2 \(1874\))
    Return-Path: 435_miz-a@********hosting.com
    ------------------------------------

    I have searched exim_mainlog for the address 435_miz-a@jnco.com but it cannot find anything.

    Is there anything one can do re spoofing?

    Thanks

    UKD.
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,762
    Likes Received:
    662
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    You can setup SPF records for your domain names, but in part it's up to the remote mail server to implement SPF checking that rejects emails without them.

    Thank you.
     
Loading...

Share This Page