The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

email bounce back concerns

Discussion in 'E-mail Discussions' started by keat63, Jan 8, 2015.

  1. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    We had an email bounce back today, supposedly from a mailbox which sends out customer invoices.
    However, we didn't send this.
    What is concerning that it does appear that whoever sent it, was in the same data centre.

    Code:
    Reporting-MTA: dns; smtp-in-133.livemail.co.uk
    X-Postfix-Queue-ID: 060E924E66B
    X-Postfix-Sender: rfc822; invoicing@mydomain.com
    Arrival-Date: Thu, 8 Jan 2015 10:38:54 +0000 (GMT)
    
    Final-Recipient: rfc822; chris.brewer@recipient.com
    Action: failed
    Status: 5.0.0
    Diagnostic-Code: X-Postfix; host mail.recipient.com[79.170.xx.xxx] said:
    550-Your IP address is on the RBL blacklist! Sending denied. 550-For
    further information and delisting procedure, 550 please see
    http://www.spamcop.net/w3m?action=ch...13.171.xxx.xxx (in reply
    to RCPT TO command)
    any ideas where i even start to look for a compromise, or how these people harvested our email address, especially in the same data centre.
     
    #1 keat63, Jan 8, 2015
    Last edited: Jan 8, 2015
  2. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    I can only assume that this is typical email spoofing.
    However, what worries me is the email address "invoicing@mydomain.com" is a brand new email address, maybe only a few weeks old.
    And that the server sending these spoofed emails, is in the same data centre.

    I had to restore the server at the weekend, and whilst i'd installed CSF and chosen a profile etc, i'd not taken it out of test mode. So there was a few hours where the domain had been restored but no firewall running.

    Having said that, the global name servers were pointing elsewhere, so the domain wasn't live.

    Is it possible that during this time, the email addresses could have been harvested, and if this is the case, any ideas where i start to look. ?

    This is just another blow to what seamed like was going to be my savior.
     
    #2 keat63, Jan 8, 2015
    Last edited: Jan 8, 2015
  3. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    I know a lot to take in for anyone who takes the time to read and digest this.
    Whats the likelyhood that this server 213.171.xxx.xxx, is connected to the same switch or router as my server (it's in the same data centre on the same first two octets), and it's packet sniffing for email addresses ?
     
  4. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    has anyone got any thoughts?, as it appears it's falling on deaf ears in the datacentre
     
  5. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,474
    Likes Received:
    202
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    admin@, webmaster@ billing@ support@ and others, are generic targets. invoicing@ could probably be added to that list, IMHO.

    Spam coming from another account on the same IP range is possible I would think.

    And, you will get bounced emails where it appears the spammer used your email address in the from: address, to spam.

    I'm not saying you can safely ignore this of course, you should make sure you've got the server and email locked down well.
     
  6. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    hi info.

    i am aware that john, jane, admin, sales etc is an easy target to spoof, and to be perfectly honest "invoicing" is/was only a temporary account to test some new software we have.
    I guess it could have been spoofed for quite some time, and only now that the mailbox exists, did we see anything related to it.
    What really concerns me however, (and i'm probably being paranoid) is that the spoof appears to have originated from within the same datacentre.

    The datacentre people have brushed it off, as the headers have no traceability, but then i'm not sure what they expected to find.

    spammer sends spoofed email, which is bounced because of rbl listing and returned to an unsuspecting 3rd party.
     
  7. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,474
    Likes Received:
    202
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    The docs should be of some use to lock down mail better:
    How to Prevent Email Abuse - cPanel Documentation

    Being paranoid is a valuable asset when it comes to sever security. Use it to your advantage. :)

    There's always the chance that a spammer has the next VPS over from yours, on the next IP up/down from yours. Your current IP even could have been used, scanned, or attacked by spammers recently as well.

    Spam is spam and it's not going away, unfortunately. There are spammers that'll read this very thread, hoping you'll post your email address so they can spam you. Post your email on your own site, same thing.

    To those spammers that spam I say, bite me. You suck.
     
Loading...

Share This Page