Forged return address on SPAM causing blacklisting

S

shortfork

Well-Known Member
Sep 4, 2006
65
0
156
For about a week, I've been getting a TON of bounced SPAM that has the sender forged as a user on my server. They look like this

Code: 
------ This is a copy of the message, including all the headers. ------

Return-path: <[email protected]>
Received: from [not.my.server.ip] (port=4193 helo=.com)
	by serv3.myservername.net with esmtpsa (TLSv1:DHE-RSA-AES256-SHA:256)
	(Exim 4.82)
	(envelope-from <[email protected]>)
	id 1WFTiU-0003s4-CC; Mon, 17 Feb 2014 11:18:58 -0800
Message-ID: <[email protected]>
Date: Mon, 17 Feb 2014 21:18:54 +0200
Reply-To: "myname" <[email protected]>
From: "myname" <[email protected]>
MIME-Version: 1.0
Interesting in this is serv3.myservername.net was my old server's name associated with the old server's IP address.. When I updated servers a year or so ago, the name change to serv4.myservername.net was not done in the WHM cp.. Although, the old serv3.myservername.net does resolve to the current server IP...

I think I have a double problem here in that the old name is probably being used by some of the users who are getting blocked due to the server IP address being put in blacklists from this barrage of bounces...

Arrgh!

HELP!
 
vanessa

vanessa

Well-Known Member
PartnerNOC
Sep 26, 2006
835
29
178
Virginia Beach, VA
cPanel Access Level
DataCenter Provider
Blacklisting typically does not work this way. Someone using your old server's hostname as the EHLO name is usually not enough to trick any reputable blacklist - they are going to go by the IP address that the email originated from. Based on the limited info in the headers, it's possible that the email is being relayed through your server. Check your exim logs for these emails and see if they reveal anything.
 
cPanelMichael

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,880
2,261
463
Hello :)

Have you tried searching for the "to" address in /var/log/exim_mainlog to ensure it was not actually sent from your server? You can use a command such as this to search:

Code: 
exigrep [email protected] /var/log/exim_mainlog
Also, as far as the hostname issue, have you tried sending a message from your server to a remote test address (e.g. Google, Hotmail) so you could review the mail header and verify the correct hostname is used?

Thank you.
 
You must log in or register to reply here.
Thread starter Similar threads Forum Replies Date
psytanium Stopping incoming forged emails Email 4
T Mail appeared to be SPAM or forged. helo/hostname mismatch Email 3
Un Area Getting rid of forged mails usign e-mail authentication (solution with acl) Email 0
M Reconfigure server to ignore NDRs to forged addresses/domains Email 0
Drake spam, forged sender, bounce backs Email 2
Similar threads
Stopping incoming forged emails
Mail appeared to be SPAM or forged. helo/hostname mismatch
Getting rid of forged mails usign e-mail authentication (solution with acl)
Reconfigure server to ignore NDRs to forged addresses/domains
spam, forged sender, bounce backs
Top Bottom