Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Forged return address on SPAM causing blacklisting

Discussion in 'E-mail Discussion' started by shortfork, Feb 17, 2014.

  1. shortfork

    shortfork Well-Known Member

    Sep 4, 2006
    Likes Received:
    Trophy Points:
    For about a week, I've been getting a TON of bounced SPAM that has the sender forged as a user on my server. They look like this

    ------ This is a copy of the message, including all the headers. ------
    Return-path: <[email protected]>
    Received: from [] (port=4193
    	by with esmtpsa (TLSv1:DHE-RSA-AES256-SHA:256)
    	(Exim 4.82)
    	(envelope-from <[email protected]>)
    	id 1WFTiU-0003s4-CC; Mon, 17 Feb 2014 11:18:58 -0800
    Message-ID: <[email protected]>
    Date: Mon, 17 Feb 2014 21:18:54 +0200
    Reply-To: "myname" <[email protected]>
    From: "myname" <[email protected]>
    MIME-Version: 1.0
    Interesting in this is was my old server's name associated with the old server's IP address.. When I updated servers a year or so ago, the name change to was not done in the WHM cp.. Although, the old does resolve to the current server IP...

    I think I have a double problem here in that the old name is probably being used by some of the users who are getting blocked due to the server IP address being put in blacklists from this barrage of bounces...


  2. vanessa

    vanessa Well-Known Member PartnerNOC

    Sep 26, 2006
    Likes Received:
    Trophy Points:
    Virginia Beach, VA
    cPanel Access Level:
    DataCenter Provider
    Blacklisting typically does not work this way. Someone using your old server's hostname as the EHLO name is usually not enough to trick any reputable blacklist - they are going to go by the IP address that the email originated from. Based on the limited info in the headers, it's possible that the email is being relayed through your server. Check your exim logs for these emails and see if they reveal anything.
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Apr 11, 2011
    Likes Received:
    Trophy Points:
    cPanel Access Level:
    Root Administrator
    Hello :)

    Have you tried searching for the "to" address in /var/log/exim_mainlog to ensure it was not actually sent from your server? You can use a command such as this to search:

    exigrep [email protected] /var/log/exim_mainlog
    Also, as far as the hostname issue, have you tried sending a message from your server to a remote test address (e.g. Google, Hotmail) so you could review the mail header and verify the correct hostname is used?

    Thank you.
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice