The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Help with spam sent to self

Discussion in 'E-mail Discussions' started by phillbooth, Apr 5, 2016.

  1. phillbooth

    phillbooth Active Member

    Joined:
    Sep 9, 2013
    Messages:
    39
    Likes Received:
    2
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    Hello I have seen this kind of spam for a number of accounts on my Cpanel server now where the spam email is sent "From" an email to the same email address, in this case admin@ only exists as a forwarder. Also SPF and DKIM is set-up on this domain with the EXIM set to reject SPF failures, the sender IP is 181.176.43.44 which is not on the SPF but is blacklisted on RBL: zen.spamhaus.org that is set to on.

    So how are they doing it? Is my server hacked or is Cpanel/EXIM just not checking SPF/IP's for internal email?

    Code:
    Return-path: <admin@thehosteddomain.co.uk>
    Envelope-to: admin@thehosteddomain.co.uk
    Delivery-date: Tue, 05 Apr 2016 14:11:15 +0100
    Received: from [181.176.43.44] (port=23075)
        by mycpanelserver.com with esmtp (Exim 4.86_1)
        (envelope-from <admin@thehosteddomain.co.uk>)
        id 1anQlG-0004qD-LD
        for admin@thehosteddomain.co.uk; Tue, 05 Apr 2016 14:11:15 +0100
    Message-ID: <578251831008526853087067@thehosteddomain.co.uk>
    From: <admin@thehosteddomain.co.uk>
    To: <admin@thehosteddomain.co.uk>
    Subject: Make 30% profit every 15 minutes.
    Date: 5 Apr 2016 01:43:32 -0600
    MIME-Version: 1.0
    Content-type: multipart/alternative;
    boundary="---09907CF940E515C55CB0358C29D90990"
    X-Mailer: Uqpkcn pqnsbp
    X-From-Rewrite: unmodified, forwarded message
    
    This is a multi-part message in MIME format.
    -----09907CF940E515C55CB0358C29D90990
    Content-type: text/plain;
    charset="iso-8859-1"
    Content-transfer-encoding: quoted-printable
    
    
     
    #1 phillbooth, Apr 5, 2016
    Last edited by a moderator: Apr 5, 2016
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Could you post the corresponding entry for this message from /var/log/exim_mainlog? EX:

    Code:
    exigrep MSGID /var/log/exim_mainlog
    Thank you.
     
  3. calvinphanctt

    calvinphanctt Active Member

    Joined:
    Mar 27, 2007
    Messages:
    44
    Likes Received:
    0
    Trophy Points:
    6
    Hello,

    I got the same problem ! Someone uses my email to email me, for example: From: myemail@example.com to: myemail@example.com with an advertisement like below:

    - Removed -

    Please show me how to fix this problem !
    Thank you very much !

    Sincerely,
    Calvin
     
    #3 calvinphanctt, Apr 5, 2016
    Last edited by a moderator: Apr 6, 2016
  4. phillbooth

    phillbooth Active Member

    Joined:
    Sep 9, 2013
    Messages:
    39
    Likes Received:
    2
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    Thanks

    Code:
    exigrep 578251831008526853087067 /var/log/exim_mainlog
    2016-04-05 14:11:15 1anQlG-0004qD-LD H=([181.176.43.44]) [181.176.43.44]:23075 Warning: Message has been scanned: no virus or other harmful content was found
    2016-04-05 14:11:15 1anQlG-0004qD-LD <= admin@myhosteddomain H=([181.176.43.44]) [181.176.43.44]:23075 P=esmtp S=3362 id=578251831008526853087067@myhosteddomain T="Make 30% profit every 15 minutes." for admin@myhosteddomain
    2016-04-05 14:11:15 1anQlG-0004qD-LD SMTP connection identification D=myhosteddomain O=admin@myhosteddomain E=phill@myemail.com M=1anQlG-0004qD-LD U=alternat ID=1000 B=redirect_resolver
    2016-04-05 14:11:15 1anQlG-0004qD-LD => phill (phill@myemail.com, admin@myhosteddomain) <admin@myhosteddomain> R=virtual_user T=virtual_userdelivery
    2016-04-05 14:11:15 1anQlG-0004qD-LD => |/usr/local/cpanel/bin/autorespond phill@myemail.com /home/runtime/.autorespond (phill@myemail.com, phill@myemail.com, admin@myhosteddomain) <admin@myhosteddomain> SRS=<SRS0=jlNrP=QA=myhosteddomain=admin@myemail.com> R=virtual_aliases_nostar T=jailed_virtual_address_pipe
    2016-04-05 14:11:15 1anQlG-0004qD-LD Completed
     
    #4 phillbooth, Apr 6, 2016
    Last edited: Apr 6, 2016
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Please browse to "WHM >> Service Configuration >> Exim Configuration Manager >> Basic Editor" and verify the following option is enabled:

    "Reject SPF failures"

    Thank you.
     
  6. phillbooth

    phillbooth Active Member

    Joined:
    Sep 9, 2013
    Messages:
    39
    Likes Received:
    2
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    Hello, yes this is switched on.
     
  7. phillbooth

    phillbooth Active Member

    Joined:
    Sep 9, 2013
    Messages:
    39
    Likes Received:
    2
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    I have noticed that these are coming in on the catch-all / Default Address looking at all the effected accounts
     
  8. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Could you open a support ticket using the link in my signature so we can take a closer look? You can post the ticket number here so we can update this thread with the outcome.

    Thank you.
     
Loading...

Share This Page