Help with spam sent to self

phillbooth

Active Member
Sep 9, 2013
41
4
8
cPanel Access Level
Root Administrator
Hello I have seen this kind of spam for a number of accounts on my Cpanel server now where the spam email is sent "From" an email to the same email address, in this case [email protected] only exists as a forwarder. Also SPF and DKIM is set-up on this domain with the EXIM set to reject SPF failures, the sender IP is 181.176.43.44 which is not on the SPF but is blacklisted on RBL: zen.spamhaus.org that is set to on.

So how are they doing it? Is my server hacked or is Cpanel/EXIM just not checking SPF/IP's for internal email?

Code:
Return-path: <[email protected]>
Envelope-to: [email protected]
Delivery-date: Tue, 05 Apr 2016 14:11:15 +0100
Received: from [181.176.43.44] (port=23075)
    by mycpanelserver.com with esmtp (Exim 4.86_1)
    (envelope-from <[email protected]>)
    id 1anQlG-0004qD-LD
    for [email protected]; Tue, 05 Apr 2016 14:11:15 +0100
Message-ID: <[email protected]>
From: <[email protected]>
To: <[email protected]>
Subject: Make 30% profit every 15 minutes.
Date: 5 Apr 2016 01:43:32 -0600
MIME-Version: 1.0
Content-type: multipart/alternative;
boundary="---09907CF940E515C55CB0358C29D90990"
X-Mailer: Uqpkcn pqnsbp
X-From-Rewrite: unmodified, forwarded message

This is a multi-part message in MIME format.
-----09907CF940E515C55CB0358C29D90990
Content-type: text/plain;
charset="iso-8859-1"
Content-transfer-encoding: quoted-printable
 
Last edited by a moderator:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,910
2,213
363
Hello :)

Could you post the corresponding entry for this message from /var/log/exim_mainlog? EX:

Code:
exigrep MSGID /var/log/exim_mainlog
Thank you.
 

calvinphanctt

Active Member
Mar 27, 2007
44
0
156
Hello,

I got the same problem ! Someone uses my email to email me, for example: From: [email protected] to: [email protected] with an advertisement like below:

- Removed -

Please show me how to fix this problem !
Thank you very much !

Sincerely,
Calvin
 
Last edited by a moderator:

phillbooth

Active Member
Sep 9, 2013
41
4
8
cPanel Access Level
Root Administrator
Hello :)

Could you post the corresponding entry for this message from /var/log/exim_mainlog? EX:

Code:
exigrep MSGID /var/log/exim_mainlog
Thank you.
Thanks

Code:
exigrep 578251831008526853087067 /var/log/exim_mainlog
2016-04-05 14:11:15 1anQlG-0004qD-LD H=([181.176.43.44]) [181.176.43.44]:23075 Warning: Message has been scanned: no virus or other harmful content was found
2016-04-05 14:11:15 1anQlG-0004qD-LD <= [email protected] H=([181.176.43.44]) [181.176.43.44]:23075 P=esmtp S=3362 [email protected] T="Make 30% profit every 15 minutes." for [email protected]
2016-04-05 14:11:15 1anQlG-0004qD-LD SMTP connection identification D=myhosteddomain [email protected] [email protected] M=1anQlG-0004qD-LD U=alternat ID=1000 B=redirect_resolver
2016-04-05 14:11:15 1anQlG-0004qD-LD => phill ([email protected], [email protected]) <[email protected]> R=virtual_user T=virtual_userdelivery
2016-04-05 14:11:15 1anQlG-0004qD-LD => |/usr/local/cpanel/bin/autorespond [email protected] /home/runtime/.autorespond ([email protected], [email protected], [email protected]) <[email protected]> SRS=<[email protected]> R=virtual_aliases_nostar T=jailed_virtual_address_pipe
2016-04-05 14:11:15 1anQlG-0004qD-LD Completed
 
Last edited:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,910
2,213
363
Please browse to "WHM >> Service Configuration >> Exim Configuration Manager >> Basic Editor" and verify the following option is enabled:

"Reject SPF failures"

Thank you.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,910
2,213
363
Could you open a support ticket using the link in my signature so we can take a closer look? You can post the ticket number here so we can update this thread with the outcome.

Thank you.