Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Emails to unknown domain

Discussion in 'E-mail Discussion' started by Mark Coates, Jun 7, 2019.

  1. Mark Coates

    Mark Coates Well-Known Member

    Joined:
    Mar 13, 2019
    Messages:
    81
    Likes Received:
    11
    Trophy Points:
    8
    Location:
    Doncaster
    cPanel Access Level:
    Root Administrator
    Hi all i have noticed now and again spam being processed on the server although does not get delivered as

    #1 the email and domain do not exist on the server
    #2 processed as spam and rejected.

    how can this come to my vps if the domain does not and has not existed on here?

    I have also checked the recieving email for if the email has been sent from that address and nothing.

    I get about 5 emails like this a month.

    Thanks
     

    Attached Files:

  2. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,466
    Likes Received:
    505
    Trophy Points:
    263
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @Mark Coates


    This looks like spam email leaving your server (it doesn't have to carry your domain name if it's sent through a php script) you might check the exclamation point to get the "Delivery Event Details" which might give you some further information
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. Mark Coates

    Mark Coates Well-Known Member

    Joined:
    Mar 13, 2019
    Messages:
    81
    Likes Received:
    11
    Trophy Points:
    8
    Location:
    Doncaster
    cPanel Access Level:
    Root Administrator
    Hi @cPanelLauren

    I have checked this and none of the ip addresses are what my vps use either i have attached an example.

    Mu ip starts: 149.255.63.***
     

    Attached Files:

  4. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    1,291
    Likes Received:
    91
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    cPanelLauren likes this.
  5. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,466
    Likes Received:
    505
    Trophy Points:
    263
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @Mark Coates

    Do you have the ability to run the following over CLI?

    Code:
    exigrep 1hZYCb-0009kU-zd /var/log/exim_mainlog
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. Mark Coates

    Mark Coates Well-Known Member

    Joined:
    Mar 13, 2019
    Messages:
    81
    Likes Received:
    11
    Trophy Points:
    8
    Location:
    Doncaster
    cPanel Access Level:
    Root Administrator
    @keat63

    this is the results from terminal;

    [[email protected] ~]# telnet localhost 25
    Trying ::1...
    Connected to localhost.
    Escape character is '^]'.
    220-dedivps-75533.dedicloud.co.uk ESMTP Exim 4.92 #2 Tue, 11 Jun 2019 08:58:43 +0100
    220-We do not authorize the use of this system to transport unsolicited,
    220 and/or bulk e-mail.
    helo
    250 dedivps-75533.dedicloud.co.uk Hello [::1]
    mail from: [email protected]
    250 OK
    rcpt to: [email protected]
    250 Accepted

    @cPanelLauren

    i get this;

    [[email protected] ~]# exigrep 1hZYCb-0009kU-zd /var/log/exim_mainlog
    [[email protected] ~]#
     
  7. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    1,291
    Likes Received:
    91
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    Actually, I'm beginning to wonder if doing what I said via a terminal window was a thorough test.
    As in effect, we wouldn't need to authorise as we are doing this as self, and thus authorised to do so.
    Maybe Telnet from a local PC would be a better test.

    Maybe try it with Mxtoolbox instead

    Email Server Test - Online SMTP diagnostics tool - MxToolbox
     
  8. Mark Coates

    Mark Coates Well-Known Member

    Joined:
    Mar 13, 2019
    Messages:
    81
    Likes Received:
    11
    Trophy Points:
    8
    Location:
    Doncaster
    cPanel Access Level:
    Root Administrator
    @keat63

    i have tried with that link although i presume it would be their domain? or would this my domain?
     
  9. Mark Coates

    Mark Coates Well-Known Member

    Joined:
    Mar 13, 2019
    Messages:
    81
    Likes Received:
    11
    Trophy Points:
    8
    Location:
    Doncaster
    cPanel Access Level:
    Root Administrator
    here are the results using my domain name
     

    Attached Files:

  10. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    1,291
    Likes Received:
    91
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    Seems that you are not an open relay then.

    The command that lauren gave you ought to have come back with a result.
    However, if your log file has rotated, this could explain why you saw nothing.
    See if you can identify another most recent one of these rougue emails and use the id from that.
     
  11. Mark Coates

    Mark Coates Well-Known Member

    Joined:
    Mar 13, 2019
    Messages:
    81
    Likes Received:
    11
    Trophy Points:
    8
    Location:
    Doncaster
    cPanel Access Level:
    Root Administrator
    I tihnk i will have to wait as i cant find any from the past 2 days.
     
  12. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    1,291
    Likes Received:
    91
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    If you have ftp access, you could ftp to var/log and find the .gz (zip) filename of the log file that was written at the time of the last known event.
    Then run the command against the zip file instead.

    along the lines:

    exigrep 1hZYCb-0009kU-zd /var/log/exim_mainlog-20190610.gz
     
  13. Mark Coates

    Mark Coates Well-Known Member

    Joined:
    Mar 13, 2019
    Messages:
    81
    Likes Received:
    11
    Trophy Points:
    8
    Location:
    Doncaster
    cPanel Access Level:
    Root Administrator
    didnt work through terminal although i could download the latest. (only 1 file of the main log)

    the address's in questions was not in the log

    /var/log/exim_mainlog-20190609

    i cant upload as its too large :(
     
  14. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    1,291
    Likes Received:
    91
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    my server has four .gz files plus the current exim-mainlog
     
  15. Mark Coates

    Mark Coates Well-Known Member

    Joined:
    Mar 13, 2019
    Messages:
    81
    Likes Received:
    11
    Trophy Points:
    8
    Location:
    Doncaster
    cPanel Access Level:
    Root Administrator
    ah yes now i see them ill have another look
     

    Attached Files:

  16. Mark Coates

    Mark Coates Well-Known Member

    Joined:
    Mar 13, 2019
    Messages:
    81
    Likes Received:
    11
    Trophy Points:
    8
    Location:
    Doncaster
    cPanel Access Level:
    Root Administrator
    This means nothing to me but this is the log section regarding this.

    ######################################

    2019-06-09 00:57:34 SMTP connection from [14.182.244.224]:13408 (TCP/IP connection count = 1)
    2019-06-09 00:57:55 H=(static.vnpt.vn) [14.182.244.224]:13408 Warning: Sender rate 1.0 / 1h
    2019-06-09 00:58:15 [69.25.26.160] SSL verify error (during S-verify for [14.182.244.224]): certificate name mismatch: DN="/C=US/ST=Florida/L=Gulf Breeze/O=Appriver LLC/OU=Engineering/CN=*.appriver.com" H="consolidatedsafety.com.1.0001.arsmtp.com"
    2019-06-09 00:58:16 H=(static.vnpt.vn) [14.182.244.224]:13408 Warning: "Increment Connection Ratelimit - (static.vnpt.vn) [14.182.244.224]:13408 because of RBL match"
    2019-06-09 00:58:16 H=(static.vnpt.vn) [14.182.244.224]:13408 F=<[email protected]> rejected RCPT <[email protected]>: "JunkMail rejected - (static.vnpt.vn) [14.182.244.224]:13408 is in an RBL: Blocked - see SpamCop.net - Blocking List ( bl.spamcop.net )"
    2019-06-09 00:58:16 SMTP connection from (static.vnpt.vn) [14.182.244.224]:13408 closed by DROP in ACL

    ######################################
     
  17. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    1,291
    Likes Received:
    91
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
  18. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,466
    Likes Received:
    505
    Trophy Points:
    263
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Better to run something like this for the compressed logs:

    Code:
    zgrep 1hZYCb-0009kU-zd /var/log/exim_mainlog-*
    The excerpt you added doesn't seem to correlate at all to the headers of the initial email as well in fact that log excerpt seems to indicate that it's just a spam message being delivered to your server then rejected for being in an RBL
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  19. Mark Coates

    Mark Coates Well-Known Member

    Joined:
    Mar 13, 2019
    Messages:
    81
    Likes Received:
    11
    Trophy Points:
    8
    Location:
    Doncaster
    cPanel Access Level:
    Root Administrator
    ----
     
    #19 Mark Coates, Jun 11, 2019
    Last edited: Jun 11, 2019
  20. Mark Coates

    Mark Coates Well-Known Member

    Joined:
    Mar 13, 2019
    Messages:
    81
    Likes Received:
    11
    Trophy Points:
    8
    Location:
    Doncaster
    cPanel Access Level:
    Root Administrator
    @keat63

    no my domain is not there.
     
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice