The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Forged return address on SPAM causing blacklisting

Discussion in 'E-mail Discussions' started by shortfork, Feb 17, 2014.

  1. shortfork

    shortfork Well-Known Member

    Joined:
    Sep 4, 2006
    Messages:
    63
    Likes Received:
    0
    Trophy Points:
    6
    For about a week, I've been getting a TON of bounced SPAM that has the sender forged as a user on my server. They look like this

    Code:
    ------ This is a copy of the message, including all the headers. ------
    
    Return-path: <myaddress@mydomain.com>
    Received: from [not.my.server.ip] (port=4193 helo=.com)
    	by serv3.myservername.net with esmtpsa (TLSv1:DHE-RSA-AES256-SHA:256)
    	(Exim 4.82)
    	(envelope-from <myaddress@mydomain.com>)
    	id 1WFTiU-0003s4-CC; Mon, 17 Feb 2014 11:18:58 -0800
    Message-ID: <40BA8F9B.8C4A9179@mydomain.com>
    Date: Mon, 17 Feb 2014 21:18:54 +0200
    Reply-To: "myname" <myaddress@mydomain.com>
    From: "myname" <myaddress@mydomain.com>
    MIME-Version: 1.0
     
    
    Interesting in this is serv3.myservername.net was my old server's name associated with the old server's IP address.. When I updated servers a year or so ago, the name change to serv4.myservername.net was not done in the WHM cp.. Although, the old serv3.myservername.net does resolve to the current server IP...

    I think I have a double problem here in that the old name is probably being used by some of the users who are getting blocked due to the server IP address being put in blacklists from this barrage of bounces...

    Arrgh!

    HELP!
     
  2. vanessa

    vanessa Well-Known Member
    PartnerNOC

    Joined:
    Sep 26, 2006
    Messages:
    817
    Likes Received:
    22
    Trophy Points:
    18
    Location:
    Virginia Beach, VA
    cPanel Access Level:
    DataCenter Provider
    Blacklisting typically does not work this way. Someone using your old server's hostname as the EHLO name is usually not enough to trick any reputable blacklist - they are going to go by the IP address that the email originated from. Based on the limited info in the headers, it's possible that the email is being relayed through your server. Check your exim logs for these emails and see if they reveal anything.
     
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,667
    Likes Received:
    646
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Have you tried searching for the "to" address in /var/log/exim_mainlog to ensure it was not actually sent from your server? You can use a command such as this to search:

    Code:
    exigrep to@remote-domain /var/log/exim_mainlog
    Also, as far as the hostname issue, have you tried sending a message from your server to a remote test address (e.g. Google, Hotmail) so you could review the mail header and verify the correct hostname is used?

    Thank you.
     
Loading...

Share This Page