Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

How to find the source of this email

Discussion in 'E-mail Discussion' started by psytanium, May 15, 2019.

  1. psytanium

    psytanium Well-Known Member

    Joined:
    Jun 6, 2014
    Messages:
    147
    Likes Received:
    6
    Trophy Points:
    18
    Location:
    Lebanon
    cPanel Access Level:
    Root Administrator
    Hello,

    I always receive spams with nonsense content, I block or delete it, but I would like to know the source of the sender of this email:

    Code:
    Return-Path: <mailer-daemon@server.mydomain.com>
Delivered-To: me@mydomain.com
Received: from server.mydomain.com
by server.mydomain.com with LMTP
id 6AhZMzKy21zIcAAAAm/+cA
(envelope-from <mailer-daemon@server.mydomain.com>)
for <me@mydomain.com>; Wed, 15 May 2019 09:31:14 +0300
Return-path: <mailer-daemon@server.mydomain.com>
Envelope-to: mailer-daemon@server.mydomain.com
Delivery-date: Wed, 15 May 2019 09:31:14 +0300
Received: from [154.126.169.202] (port=30621)
by server.mydomain.com with esmtp (Exim 4.91)
(envelope-from <mailer-daemon@server.mydomain.com>)
id 1hQnRa-0007pT-HC
for mailer-daemon@server.mydomain.com; Wed, 15 May 2019 09:31:14 +0300
Message-ID: <5CDBC0DD.9040000@server.mydomain.com>
Date: Wed, 15 May 2019 07:33:49 +0000
From: <mailer-daemon@server.mydomain.com>
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:6.0) Gecko/20110812 Thunderbird/6.0
MIME-Version: 1.0
To: <mailer-daemon@server.mydomain.com>
Subject: Frauders known your old passwords. Access data must be changed.
Content-Type: text/plain; charset=CP-850; format=flowed
Content-Transfer-Encoding: 8bit

    Is it coming from my server ?
     
    #1 psytanium, May 15, 2019
    Last edited by a moderator: May 15, 2019
  2. m.eid

    m.eid Active Member

    Joined:
    Jun 4, 2014
    Messages:
    31
    Likes Received:
    5
    Trophy Points:
    83
    Location:
    Jordan
    cPanel Access Level:
    Root Administrator
    Twitter:
    I've received such that many times received to my clients signed by their domains as both sender and receivers, actually I've searched hard about that, they may using a hole in a script in your host, where they will say they had hacked your email but just ignore them and scan your host and apps there to find any vulnerabilities.
     
    #2 m.eid, May 15, 2019
  3. psytanium

    psytanium Well-Known Member

    Joined:
    Jun 6, 2014
    Messages:
    147
    Likes Received:
    6
    Trophy Points:
    18
    Location:
    Lebanon
    cPanel Access Level:
    Root Administrator
    But here should be a way to know where is it coming from, maybe by searching the exim log using a query in a command.
     
    #3 psytanium, May 15, 2019
  4. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    1,209
    Likes Received:
    77
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    Do you recognise 154.126.169.202
     
    #4 keat63, May 15, 2019
  5. psytanium

    psytanium Well-Known Member

    Joined:
    Jun 6, 2014
    Messages:
    147
    Likes Received:
    6
    Trophy Points:
    18
    Location:
    Lebanon
    cPanel Access Level:
    Root Administrator
    Not any of my server IPs, my computer IP.
     
    #5 psytanium, May 15, 2019
  6. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    5,815
    Likes Received:
    443
    Trophy Points:
    233
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    The exim configuration setting as follows should allow the from header to be rewritten according to the actual sender:
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #6 cPanelLauren, May 16, 2019
  7. psytanium

    psytanium Well-Known Member

    Joined:
    Jun 6, 2014
    Messages:
    147
    Likes Received:
    6
    Trophy Points:
    18
    Location:
    Lebanon
    cPanel Access Level:
    Root Administrator
    Thank you I changed the Rewrite From: header to match actual sender to All
     
    #7 psytanium, May 17, 2019
  8. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    1,209
    Likes Received:
    77
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    Does 'EXPERIMENTAL: Rewrite From: header to match actual sender' have any effect on inbound traffic.
    I read elsewhere that this only affects outbound emails.
     
    #8 keat63, May 17, 2019
    psytanium likes this.
  9. psytanium

    psytanium Well-Known Member

    Joined:
    Jun 6, 2014
    Messages:
    147
    Likes Received:
    6
    Trophy Points:
    18
    Location:
    Lebanon
    cPanel Access Level:
    Root Administrator
    Good question
     
    #9 psytanium, May 17, 2019
  10. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    5,815
    Likes Received:
    443
    Trophy Points:
    233
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #10 cPanelLauren, May 17, 2019
  11. psytanium

    psytanium Well-Known Member

    Joined:
    Jun 6, 2014
    Messages:
    147
    Likes Received:
    6
    Trophy Points:
    18
    Location:
    Lebanon
    cPanel Access Level:
    Root Administrator
    The IP is not related to my PC or server.
     
    #11 psytanium, May 17, 2019
  12. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    5,815
    Likes Received:
    443
    Trophy Points:
    233
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    In that case the exim filter info I linked might be useful, but it could be cumbersome to implement
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #12 cPanelLauren, May 17, 2019
(You must log in or sign up to post here.)
Loading...
Similar Threads - find source email
  1. martin MHC

    Excessive Resource usage by PHP : How to find the exact cause?

    martin MHC, Oct 5, 2017, in forum: General Discussion
    Replies:
    9
    Views:
    3,381
    cPanelMichael
    Oct 10, 2017
  2. martin MHC

    SOLVED How to find the version of Spam Assassin?

    martin MHC, May 16, 2019, in forum: E-mail Discussion
    Replies:
    2
    Views:
    229
    martin MHC
    May 16, 2019
  3. sgfreshidea

    Backup configured but can't find directory or how to force backup

    sgfreshidea, May 6, 2019, in forum: Data Protection
    Replies:
    1
    Views:
    127
    cPanelMichael
    May 7, 2019
  4. Tolomir

    Missing Emails after finding malicious software

    Tolomir, May 3, 2019, in forum: E-mail Discussion
    Replies:
    1
    Views:
    341
    cPanelMichael
    May 7, 2019
  5. ccw

    How to Find the IP Blocked by the Firewall in WHM?

    ccw, Apr 20, 2019, in forum: Security
    Replies:
    5
    Views:
    378
    cPanelLauren
    Apr 22, 2019

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...
    Dismiss Notice