find source of incoming emails

[asmithjr]

I've created a problem for myself over the years. I thought I was being smart creating alias each time I had to provide an email to an external source. The thought was just do away with the alias when I found that email was being spammed. Now years later the email spam is out of control on my server.
Is there a good way to find out which alias email is being hit with all the spam? I am not sure my main email is getting all the junk email or if it is coming from one of the alias accounts.
Thanks

 

[keat63]

Without me digging through my own mail logs, I don't entirely know the answer.
However, it would help others if you could tell us whether you have root access or if you are a web site owner.
Do you have access to WHM or Cpanel only?

 

[keat63]

I'm using forwarders for some of our sales orders.
I opened one up and can quite clearly see in the message headers where it was originally sent.

In fact, I'm struggling to see anything related to the mailbox it actually landed in.

 

[asmithjr]

I do have root access. This is a small VPS and I manage the server with full access.

 

[andrew.n]

Well the info you are looking for is definitely in /var/log/exim_mainlog but if you have many email accounts it will be a bit difficult to read. This script makes it a bit easier to track things down:

GitHub - CpanelInc/tech-MSP

Contribute to CpanelInc/tech-MSP development by creating an account on GitHub.

github.com

 

[keat63]

I just sent myself an email from gmail via an alias, and I can clearly see the alias in the headers

Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: from xxxxxxxxxxxxxxxxxxxxxxxx
by xxxxxxxxxxxxxxxxx with LMTP
id SGuVEbdOGF8UVwAAejhMJg
(envelope-from <[email protected]>)
for <[email protected]>; Wed, 22 Jul 2020 15:35:35 +0100
Return-path: <[email protected]>
Envelope-to: [email protected]

 

[andrew.n]

right....so what's the problem here?

 

[cPanelLauren]

@andrew.n there isn't a problem @keat63 was showing the OP how to identify mail sent to an alias which is the question the user was asking.


@asmithjr if I understand correctly the Aliases you created were just forwarders for accounts that do not exist correct? If this is the case and you removed those, but mail is still being accepted for those email accounts you could eliminate this problem entirely by going to cPanel >> Email >> Default Address and ensure the setting you have for unrouted mail (mail that is sent to [email protected]) is not set to forward to an email address or your system account.

 

[andrew.n]

ah right I thought @keat63 is the OP.

 

[asmithjr]

What I found to work for me is:

grep "[email protected]" exim_mainlog | grep virtual | grep "(" | awk -F "(" '{print $2}' | awk -F ")" '{print $1}'

My main address is [email protected], this shows me all email accounts from the exim_mainlog that were forwarded to my main address.

 

[ThomasA]

How to check properties of incoming emails ... You can also do View > Message Source (or ctrl + u) which shows you the actual characters ... I hope that help!