Emails to unknown domain

Mark Coates

Well-Known Member
Mar 13, 2019
98
12
8
Doncaster
cPanel Access Level
Root Administrator
Hi all i have noticed now and again spam being processed on the server although does not get delivered as

#1 the email and domain do not exist on the server
#2 processed as spam and rejected.

how can this come to my vps if the domain does not and has not existed on here?

I have also checked the recieving email for if the email has been sent from that address and nothing.

I get about 5 emails like this a month.

Thanks
 

Attachments

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,261
313
Houston
Hi @Mark Coates


This looks like spam email leaving your server (it doesn't have to carry your domain name if it's sent through a php script) you might check the exclamation point to get the "Delivery Event Details" which might give you some further information
 

Mark Coates

Well-Known Member
Mar 13, 2019
98
12
8
Doncaster
cPanel Access Level
Root Administrator
@keat63

this is the results from terminal;

[[email protected] ~]# telnet localhost 25
Trying ::1...
Connected to localhost.
Escape character is '^]'.
220-dedivps-75533.dedicloud.co.uk ESMTP Exim 4.92 #2 Tue, 11 Jun 2019 08:58:43 +0100
220-We do not authorize the use of this system to transport unsolicited,
220 and/or bulk e-mail.
helo
250 dedivps-75533.dedicloud.co.uk Hello [::1]
mail from: [email protected]
250 OK
rcpt to: [email protected]
250 Accepted

@cPanelLauren

i get this;

[[email protected] ~]# exigrep 1hZYCb-0009kU-zd /var/log/exim_mainlog
[[email protected] ~]#
 

keat63

Well-Known Member
Nov 20, 2014
1,904
254
113
cPanel Access Level
Root Administrator
Seems that you are not an open relay then.

The command that lauren gave you ought to have come back with a result.
However, if your log file has rotated, this could explain why you saw nothing.
See if you can identify another most recent one of these rougue emails and use the id from that.
 

keat63

Well-Known Member
Nov 20, 2014
1,904
254
113
cPanel Access Level
Root Administrator
If you have ftp access, you could ftp to var/log and find the .gz (zip) filename of the log file that was written at the time of the last known event.
Then run the command against the zip file instead.

along the lines:

exigrep 1hZYCb-0009kU-zd /var/log/exim_mainlog-20190610.gz
 

Mark Coates

Well-Known Member
Mar 13, 2019
98
12
8
Doncaster
cPanel Access Level
Root Administrator
didnt work through terminal although i could download the latest. (only 1 file of the main log)

the address's in questions was not in the log

/var/log/exim_mainlog-20190609

i cant upload as its too large :(
 

Mark Coates

Well-Known Member
Mar 13, 2019
98
12
8
Doncaster
cPanel Access Level
Root Administrator
This means nothing to me but this is the log section regarding this.

######################################

2019-06-09 00:57:34 SMTP connection from [14.182.244.224]:13408 (TCP/IP connection count = 1)
2019-06-09 00:57:55 H=(static.vnpt.vn) [14.182.244.224]:13408 Warning: Sender rate 1.0 / 1h
2019-06-09 00:58:15 [69.25.26.160] SSL verify error (during S-verify for [14.182.244.224]): certificate name mismatch: DN="/C=US/ST=Florida/L=Gulf Breeze/O=Appriver LLC/OU=Engineering/CN=*.appriver.com" H="consolidatedsafety.com.1.0001.arsmtp.com"
2019-06-09 00:58:16 H=(static.vnpt.vn) [14.182.244.224]:13408 Warning: "Increment Connection Ratelimit - (static.vnpt.vn) [14.182.244.224]:13408 because of RBL match"
2019-06-09 00:58:16 H=(static.vnpt.vn) [14.182.244.224]:13408 F=<[email protected]> rejected RCPT <[email protected]>: "JunkMail rejected - (static.vnpt.vn) [14.182.244.224]:13408 is in an RBL: Blocked - see SpamCop.net - Blocking List ( bl.spamcop.net )"
2019-06-09 00:58:16 SMTP connection from (static.vnpt.vn) [14.182.244.224]:13408 closed by DROP in ACL

######################################
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,261
313
Houston
Better to run something like this for the compressed logs:

Code:
zgrep 1hZYCb-0009kU-zd /var/log/exim_mainlog-*
The excerpt you added doesn't seem to correlate at all to the headers of the initial email as well in fact that log excerpt seems to indicate that it's just a spam message being delivered to your server then rejected for being in an RBL