email virus attack

[keat63]

I undergoing some for of virus attack at the moment.
I see in the headers

X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - server2.hechoenleon.com
X-AntiAbuse: Original Domain - my domain.com
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - flejescarpa.com.mx

Its not my domain which is sending these, so why does my domain show in Original Domain ?

 

[keat63]

I've considered that it could be a pC on my corporate network maybe sending something via a relay, but now spotted another one.

However, this one was sent to my own personal email (on the same server).
My own personal email sends only a few emails per week so its relativley easy for me to check outgoing stats.

X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - sg3plcpnl0004.prod.sin3.secureserver.net (not me)
X-AntiAbuse: Original Domain - mypersonaldomain.co.uk

I'm pretty confident that my own domain didn't get involved, unless theres something on the server.
Is the 'Original Domain' section being spoofed

Any ideas ??

 

[cPanelWilliam]

Hello!

Could you please provide the full email headers from one of these emails? We would be able to better answer your questions if we had the full email headers.

Based on what you said, I think it's likely that these emails are being spoofed. In this situation, I'd want to see which IP address is sending the mail so we can determine if they are being sent by a separate server. Since you pointed out that the hostname in the headers is not your server, I think it's likely that these are being sent by a separate server:

How to find email headers

Although it's not possible to entirely prevent spoofing, there are steps you can take to combat it:

Preventing spoofed emails

 

[keat63]

Without divulging my server or local IP's none of these are mine.


Received: from sg2nlsmtp01.shr.prod.sin2.secureserver.net ([182.50.132.200]:40042)
by myserver.host.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
(Exim 4.95)
(envelope-from <[email protected]>)
id 1npXLh-0001Sh-RM
for [email protected];
Fri, 13 May 2022 16:37:02 +0100
Received: from sg3plcpnl0004.prod.sin3.secureserver.net ([148.66.145.132])
by : HOSTING RELAY : with ESMTP
id pXK0ny5VHvRk9pXK0nyzCr; Fri, 13 May 2022 08:35:16 -0700
X-CMAE-Analysis: v=2.4 cv=MZ6pB7zf c=1 sm=1 tr=0 ts=627e7ab5
a=upYG1lvb4hnWh0QFW3yukA==:117 a=6LNRkCNBt8ZRTU2CZPbolQ==:17
a=9+rZDBEiDlHhcck0kWbJtElFXBc=:19 a=gQX1269ULFhLm4Thdby34LUHVW0=:19
a=oZkIemNP1mAA:10 a=r77TgQKjGQsHNAKrUKIA:9 a=YMx64EG2AAAA:8
a=lRrl5QwOUt7lRYtwp-QA:9 a=d4OyPR7NnPR9-tdA:21 a=_W_S_7VecoQA:10
a=QEXdDO2ut3YA:10 a=2SAUZJQijLg_84jzozAA:9 a=IKIoO-ieCDEA:10
a=wDOl-8IaFK0A:10 a=Yy2xoct6d_2ZlxTvqP-Z:22 a=XqWb9wuT7gtQlNc7Gwru:22
a=G_MBLiWhD_nnfb7b4kOc:22
X-SECURESERVER-ACCT: [email protected]
Received: from fixed-187-190-132-190.totalplay.net ([187.190.132.190]:50014 helo=[127.0.0.1])
by sg3plcpnl0004.prod.sin3.secureserver.net with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
(Exim 4.94.2)
(envelope-from <[email protected]>)
id 1npWok-008A4K-U7
for [email protected]; Fri, 13 May 2022 08:02:59 -0700
Date: Fri, 13 May 2022 10:02:57 -0600
Message-ID: <[email protected]>
From: " " <[email protected]>
To: "" <[email protected]>
Subject: Re: FW:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------------RyPeiOn2PBphlZvqzzUYjfsi"
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - sg3plcpnl0004.prod.sin3.secureserver.net
X-AntiAbuse: Original Domain - mydomain.co.uk
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - miramsindia.com
X-Get-Message-Sender-Via: sg3plcpnl0004.prod.sin3.secureserver.net: authenticated_id: [email protected]
X-Authenticated-Sender: sg3plcpnl0004.prod.sin3.secureserver.net: [email protected]
X-Source:
X-Source-Args:
X-Source-Dir:
X-CMAE-Envelope: MS4xfFNymPr4ipJxFONebmcF8lg0wGqQ5At2SnE72M9WTNsG64mp8SpugQKGxrOEAkIYtGSZPxGDqeJEEuGXX8ocv/V2ssQlAn/OEyfBzoCG/D7wTfQaUHwO
q9A8UCWWw+1/7Mg06Nz1JKyGO6WEfp8GpFdfOSzQcMhMEf/8UOoMvsq7AV5fpUOt1qMo5och6/iSrE98jiHOWsgYY/A4Ehz19gJnAvmC0E0oJLYInXq3VCms

 

[mtindor]

I undergoing some for of virus attack at the moment.
I see in the headers

X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - server2.hechoenleon.com
X-AntiAbuse: Original Domain - my domain.com
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - flejescarpa.com.mx

Its not my domain which is sending these, so why does my domain show in Original Domain ?

I think it's as simple as Original Domain = domain of the recipient (yourself0

Does the wording sound goofy, yes it does. But it probably is supposed to indicate that the email was "originally" addressed TO somebody in that domain. Useless if the message is then forwarded off to Gmail or somewhere else and you want to know where it came from (your domain).

NOTE: It does not say "Originating Domain". If it did, I'd have a problem with that and it would drive me crazy. But "Original Domain" makes sense to me.

All of the examples you have showed here are simple emails that came in from other servers to the server your accounts are hosted on, and to a mailbox of a domain hosted on that server.

Mike

 

[Spirogg]

Without divulging my server or local IP's none of these are mine.


Received: from sg2nlsmtp01.shr.prod.sin2.secureserver.net ([182.50.132.200]:40042)
by myserver.host.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
(Exim 4.95)
(envelope-from <[email protected]>)
id 1npXLh-0001Sh-RM
for [email protected];
Fri, 13 May 2022 16:37:02 +0100
Received: from sg3plcpnl0004.prod.sin3.secureserver.net ([148.66.145.132])
by : HOSTING RELAY : with ESMTP
id pXK0ny5VHvRk9pXK0nyzCr; Fri, 13 May 2022 08:35:16 -0700
X-CMAE-Analysis: v=2.4 cv=MZ6pB7zf c=1 sm=1 tr=0 ts=627e7ab5
a=upYG1lvb4hnWh0QFW3yukA==:117 a=6LNRkCNBt8ZRTU2CZPbolQ==:17
a=9+rZDBEiDlHhcck0kWbJtElFXBc=:19 a=gQX1269ULFhLm4Thdby34LUHVW0=:19
a=oZkIemNP1mAA:10 a=r77TgQKjGQsHNAKrUKIA:9 a=YMx64EG2AAAA:8
a=lRrl5QwOUt7lRYtwp-QA:9 a=d4OyPR7NnPR9-tdA:21 a=_W_S_7VecoQA:10
a=QEXdDO2ut3YA:10 a=2SAUZJQijLg_84jzozAA:9 a=IKIoO-ieCDEA:10
a=wDOl-8IaFK0A:10 a=Yy2xoct6d_2ZlxTvqP-Z:22 a=XqWb9wuT7gtQlNc7Gwru:22
a=G_MBLiWhD_nnfb7b4kOc:22
X-SECURESERVER-ACCT: [email protected]
Received: from fixed-187-190-132-190.totalplay.net ([187.190.132.190]:50014 helo=[127.0.0.1])
by sg3plcpnl0004.prod.sin3.secureserver.net with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
(Exim 4.94.2)
(envelope-from <[email protected]>)
id 1npWok-008A4K-U7
for [email protected]ain.co.uk; Fri, 13 May 2022 08:02:59 -0700
Date: Fri, 13 May 2022 10:02:57 -0600
Message-ID: <[email protected]>
From: " " <[email protected]>
To: "" <[email protected]>
Subject: Re: FW:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------------RyPeiOn2PBphlZvqzzUYjfsi"
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - sg3plcpnl0004.prod.sin3.secureserver.net
X-AntiAbuse: Original Domain - mydomain.co.uk
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - miramsindia.com
X-Get-Message-Sender-Via: sg3plcpnl0004.prod.sin3.secureserver.net: authenticated_id: [email protected]
X-Authenticated-Sender: sg3plcpnl0004.prod.sin3.secureserver.net: [email protected]
X-Source:
X-Source-Args:
X-Source-Dir:
X-CMAE-Envelope: MS4xfFNymPr4ipJxFONebmcF8lg0wGqQ5At2SnE72M9WTNsG64mp8SpugQKGxrOEAkIYtGSZPxGDqeJEEuGXX8ocv/V2ssQlAn/OEyfBzoCG/D7wTfQaUHwO
q9A8UCWWw+1/7Mg06Nz1JKyGO6WEfp8GpFdfOSzQcMhMEf/8UOoMvsq7AV5fpUOt1qMo5och6/iSrE98jiHOWsgYY/A4Ehz19gJnAvmC0E0oJLYInXq3VCms

try running the below command as root -

cat /etc/valiases/* > forwarders.txt
then cd enter
then dir or ls
you will see the forwarders.txt open with nano or vim or just cat forwarders.txt
to see all the forwarders that are setup on all accounts

or go to /etc/valiases
then dir or ls and see if the domain account you said no longer active is still showing.
if so cat domain.com
and it will show you if there are forwarders setup that you cant see in cpanel.

Then you can delete the forwarders or even the account that is no longer there.

this is also good to see if any active accounts have been hacked and hacker adds forwarders that you wont see in the cpanel account via cPanel > forwarders

hope this helps as well

 

[keat63]

I have csf explorer installed and already looked in valiases
I did wonder if maybe a forwader was somehow leftove that I coudn't see from the cpanel account
There are no forwarders for this user.

 

[Spirogg]

I have csf explorer installed and already looked in valiases
I did wonder if maybe a forwader was somehow leftove that I coudn't see from the cpanel account
There are no forwarders for this user.

Is this account is no longer and deleted or suspended ?
possible they have a forwarder setup on another account? possible ?
if you check all accounts to verify if they have forwarders or to see if any of the emails contain a forwarder from the forwarders.txt file ( this would list all accounts that have a forwarding address )

just wondering ?

 

[Spirogg]

@keat63

i was reding this How to Prevent Email Abuse | cPanel & WHM Documentation

and at the very bottom it had this

EXPERIMENTAL Rewrite From header to match actual sender
Any local cPanel user can use the 127.0.0.1 IP address to send mail without authentication. This can make it difficult for system administrators to determine which cPanel account sent the mail, especially when a malicious user spoofs an email address to disguise the origin of the email.

To require cPanel & WHM to put the actual sender in the header, enable the Experimental: Rewrite From: header to match actual sender option in WHM’s Exim Configuration Manager interface (WHM >> Home >> Service Configuration >> Exim Configuration Manager).

After you enable this feature, you will see output that is similar to the following in the /var/log/exim_mainlog file:

2014-04-23 08:09:52 1Wcwvu-0000On-Sb From: header (rewritten was: [[email protected]], actual sender is not the same system user) original=[[email protected]] actual_sender=[[email protected]]
The actual_sender portion of the log entry shows that spammer is the cPanel account that sent the email. This information allows the system administrator to take action against the account to prevent additional spam.

not sure if this is something you want to try or not. ?

 

[Spirogg]

Also there is another setting

Home >> Service Configuration >> Exim Configuration Manager

Reject remote mail sent to the server's hostname [?]
Reject mail at SMTP time if the recipient is an address of the primary hostname of this server. No remote mail should normally be received for the primary hostname, and this has recently become a common spam target.
this is default NO

and one other seems to check if email sender exits before receiving the email


Sender Verification Callouts [?]
Use callouts to verify the existence of email senders. Exim will connect to the mail exchanger for a given address to verify it exists before accepting mail from it.

this also is default NO

this might help eliminate this

 

[keat63]

This person was a user but left about 2 years ago.
Its possible that her email was forwarded to a collaeague, but I don't see any rules now.
So maybe already removed it in the past.

I'm struggling to understand why whm email delivery stats would indicate that they were undelivered, but I can still see and open them using CSF mailscanner.
It's as if WHM says, 'sorry i can't deliever these' but accepts them and stores them anyway.
I half expected Exim would just drop and delete.

I do have mailscanner configured to retain for about 7 days

I also made the exim chnages above, so i'll monitor for a week.