The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How did this even get to my server

Discussion in 'E-mail Discussions' started by keat63, Feb 11, 2015.

  1. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    I found a reject this morning and wondered how it even got to my server.
    Any ideas.

    Code:
    Event: rejected rejected
    User: -remote-
    Domain:
    Sender: iiigeehx@spammer.com
    Sent Time: Feb 11, 2015 5:39:05 AM
    Sender Host: static.153.7.9.176.clients.your-server.de
    Sender IP: 182.72.137.226
    Authentication: unauthorized
    Spam Score:
    Recipient: rnicol@notmydomain.co.uk
    Delivered To:
    Delivery User:
    Delivery Domain: notmydomain.co.uk
    Router: reject
    Transport: **rejected**
    Out Time: Feb 11, 2015 5:39:05 AM
    ID: 1YLQ1m-00012R-9q
    Delivery Host: static.153.7.9.176.clients.your-server.de
    Delivery IP: 182.72.137.226
    Size: 0 bytes
    Result: JunkMail rejected - (static.153.7.9.176.clients.your-server.de) [182.72.137.226]:3995 is in an RBL.


    Also found this in Exim Main Log:

    Code:
    2015-02-11 05:38:48 SMTP connection from [182.72.137.226]:3995 (TCP/IP connection count = 1)
    2015-02-11 05:38:49 no IP address found for host nsg-static-226.137.72.182.airtel.in (during SMTP connection from [182.72.137.226]:3995)
     
    #1 keat63, Feb 11, 2015
    Last edited: Feb 11, 2015
  2. casey

    casey Well-Known Member

    Joined:
    Jan 17, 2003
    Messages:
    2,303
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    If there is trouble, it will find me
    Probably a BCC.
     
  3. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    I never thought of that. Doh.
    I'll experiment later.
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    653
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Feel free to let us know the outcome after testing.

    Thank you.
     
  5. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    OK. I don't think it was a BCC.

    I've just modified an email client to a spoofed sender address.
    I sent an email to my gmail account, and then BCC'd a non existant email on the domain.
    This hit the server and was bounced, but clearly has my domain in the headers.

    In the headers above, there is no reference to my domain at all.
    Code:
    Event: rejected rejected
    User: -remote-
    Domain:
    Sender: me@spoofed-sender.com - this was my spoofed sender.
    Sent Time: Feb 12, 2015 3:12:15 PM
    Sender Host: tkt-001-i390.relay.mailchannels.net
    Sender IP: xx.xx.xx.xxx
    Authentication: unauthorized
    Spam Score:
    Recipient: dave@mydomain.com - this is my non existent email user
    Delivered To:
    Delivery User: mydomain
    Delivery Domain: mydomain.com
    Router: reject
    Transport: **rejected**
    Out Time: Feb 12, 2015 3:12:15 PM
    ID: 1YLvRa-000Dic-02
    Delivery Host: tkt-001-i390.relay.mailchannels.net
    Delivery IP: xx.xx.xx.xxx
    Size: 0 bytes
    Result: No such person at this address.

    I know that the original was rejected (quite rightly so) but i'm confused how it even got in to my server in the first place.
     
    #5 keat63, Feb 12, 2015
    Last edited: Feb 12, 2015
  6. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Using dnsstuff.com, i recreated the same scenario.
    dnsstuff.com never once asked me for an email address when it performed these tests.
    So if dnsstuff can do it, hackers and spammers certainly can.
    Maybe the one i was concerned with was a relay attempt ??


    Code:
    Event: rejected rejected
    User: -remote-
    Domain:
    Sender: dnsstufftools@dnsstuff.com
    Sent Time: Feb 12, 2015 2:28:14 PM
    Sender Host: adf-b.dnsstuff.com
    Sender IP: 74.115.12.14
    Authentication: unauthorized
    Spam Score:
    Recipient: open.relay@example.com
    Delivered To:
    Delivery User:
    Delivery Domain: example.com
    Router: reject
    Transport: **rejected**
    Out Time: Feb 12, 2015 2:28:14 PM
    ID: 1YLul3-000D7A-s3
    Delivery Host: adf-b.dnsstuff.com
    Delivery IP: 74.115.12.14
    Size: 0 bytes
    Result: Please turn on SMTP Authentication in your mail client. adf-b.dnsstuff.com (dnsstuff.com) [74.115.12.14]:50416 is not permitted to relay through this server without authentication. 
     
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    653
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Users can still attempt SMTP connections to your server. The logs are simply showing you the SMTP connection attempt was rejected:

    You have to block the IP address in your firewall if you want to block the connection request itself.

    Thank you.
     
Loading...

Share This Page