email hitting server, but domain doesn't exist

keat63

Well-Known Member
Nov 20, 2014
1,916
264
113
cPanel Access Level
Root Administrator
10 days ago, I terminated an acccount and deleted all DNS entries.. (company no longer trading)

Just checking the logs today and can see an email delivery attempt, but how.
The domain hasn't been on this server for 10 days or more.
There are no DNS entries, the name servers point to the resgistra

Code:
2020-01-23 13:40:34 H=131.74.60.190.host.ifxnetworks.com (host-200.14.43.132.merca.net.co)
[190.60.74.131]:35060 F=<[email protected]> rejected RCPT <[email protected]>:
The mail server could not deliver mail to [email protected]
The account or domain may not exist, they may be blacklisted, or missing the proper dns entries.
I see lots of email delivery attempts to this domain
 
Last edited:

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,295
1,275
313
Houston
10 days ago, I terminated an acccount and deleted all DNS entries.. (company no longer trading)

Just checking the logs today and can see an email delivery attempt, but how.
The domain hasn't been on this server for 10 days or more.
There are no DNS entries, the name servers point to the resgistra

Code:
2020-01-23 13:40:34 H=131.74.xx.xxx.host.ifxnetworks.com (host-200.14.xx.xxx.merca.net.co)
[190.60.xx.xxx]:35060 F=<[email protected]> rejected RCPT <[email protected]>:
The mail server could not deliver mail to [email protected]
The account or domain may not exist, they may be blacklisted, or missing the proper dns entries.
I see lots of email delivery attempts to this domain
There have to be DNS records that point to your IP present on the domain cached or otherwise, there would be no way for it to be routed to you. If they were sent from the domain and then bounced to your server, it could send to the IP present in the headers, though 10 days is a while for that.
 

keat63

Well-Known Member
Nov 20, 2014
1,916
264
113
cPanel Access Level
Root Administrator
Is it possible that the BOT or whatever is doing this is using something like a modified host file and bypassing DNS altogther.

As this server is about to close down, I've closed all firewall ports now, so nothing can get through.
Intrigued how this was happening though.