Forged return address on SPAM causing blacklisting

shortfork

Well-Known Member
Sep 4, 2006
63
0
156
For about a week, I've been getting a TON of bounced SPAM that has the sender forged as a user on my server. They look like this

Code:
------ This is a copy of the message, including all the headers. ------

Return-path: <[email protected]>
Received: from [not.my.server.ip] (port=4193 helo=.com)
	by serv3.myservername.net with esmtpsa (TLSv1:DHE-RSA-AES256-SHA:256)
	(Exim 4.82)
	(envelope-from <[email protected]>)
	id 1WFTiU-0003s4-CC; Mon, 17 Feb 2014 11:18:58 -0800
Message-ID: <[email protected]>
Date: Mon, 17 Feb 2014 21:18:54 +0200
Reply-To: "myname" <[email protected]>
From: "myname" <[email protected]>
MIME-Version: 1.0
Interesting in this is serv3.myservername.net was my old server's name associated with the old server's IP address.. When I updated servers a year or so ago, the name change to serv4.myservername.net was not done in the WHM cp.. Although, the old serv3.myservername.net does resolve to the current server IP...

I think I have a double problem here in that the old name is probably being used by some of the users who are getting blocked due to the server IP address being put in blacklists from this barrage of bounces...

Arrgh!

HELP!
 

vanessa

Well-Known Member
PartnerNOC
Sep 26, 2006
833
28
178
Virginia Beach, VA
cPanel Access Level
DataCenter Provider
Blacklisting typically does not work this way. Someone using your old server's hostname as the EHLO name is usually not enough to trick any reputable blacklist - they are going to go by the IP address that the email originated from. Based on the limited info in the headers, it's possible that the email is being relayed through your server. Check your exim logs for these emails and see if they reveal anything.
 

cPanelMichael

Technical Support Community Manager
Staff member
Apr 11, 2011
47,911
2,233
363
cPanel Access Level
DataCenter Provider
Twitter
Hello :)

Have you tried searching for the "to" address in /var/log/exim_mainlog to ensure it was not actually sent from your server? You can use a command such as this to search:

Code:
exigrep [email protected] /var/log/exim_mainlog
Also, as far as the hostname issue, have you tried sending a message from your server to a remote test address (e.g. Google, Hotmail) so you could review the mail header and verify the correct hostname is used?

Thank you.