Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

How to find the source of this email

Discussion in 'E-mail Discussion' started by psytanium, May 15, 2019.

  1. psytanium

    psytanium Well-Known Member

    Joined:
    Jun 6, 2014
    Messages:
    165
    Likes Received:
    7
    Trophy Points:
    18
    Location:
    Lebanon
    cPanel Access Level:
    Root Administrator
    Hello,

    I always receive spams with nonsense content, I block or delete it, but I would like to know the source of the sender of this email:

    Code:
    Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: from server.mydomain.com
by server.mydomain.com with LMTP
id 6AhZMzKy21zIcAAAAm/+cA
(envelope-from <[email protected]>)
for <[email protected]>; Wed, 15 May 2019 09:31:14 +0300
Return-path: <[email protected]>
Envelope-to: [email protected]
Delivery-date: Wed, 15 May 2019 09:31:14 +0300
Received: from [154.126.169.202] (port=30621)
by server.mydomain.com with esmtp (Exim 4.91)
(envelope-from <[email protected]>)
id 1hQnRa-0007pT-HC
for [email protected]; Wed, 15 May 2019 09:31:14 +0300
Message-ID: <[email protected]>
Date: Wed, 15 May 2019 07:33:49 +0000
From: <[email protected]>
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:6.0) Gecko/20110812 Thunderbird/6.0
MIME-Version: 1.0
To: <[email protected]>
Subject: Frauders known your old passwords. Access data must be changed.
Content-Type: text/plain; charset=CP-850; format=flowed
Content-Transfer-Encoding: 8bit

    Is it coming from my server ?
     
    #1 psytanium, May 15, 2019
    Last edited by a moderator: May 15, 2019
  2. m.eid

    m.eid Well-Known Member

    Joined:
    Jun 4, 2014
    Messages:
    53
    Likes Received:
    7
    Trophy Points:
    83
    Location:
    Jordan
    cPanel Access Level:
    Root Administrator
    Twitter:
    I've received such that many times received to my clients signed by their domains as both sender and receivers, actually I've searched hard about that, they may using a hole in a script in your host, where they will say they had hacked your email but just ignore them and scan your host and apps there to find any vulnerabilities.
     
    #2 m.eid, May 15, 2019
  3. psytanium

    psytanium Well-Known Member

    Joined:
    Jun 6, 2014
    Messages:
    165
    Likes Received:
    7
    Trophy Points:
    18
    Location:
    Lebanon
    cPanel Access Level:
    Root Administrator
    But here should be a way to know where is it coming from, maybe by searching the exim log using a query in a command.
     
    #3 psytanium, May 15, 2019
  4. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    1,294
    Likes Received:
    91
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    Do you recognise 154.126.169.202
     
    #4 keat63, May 15, 2019
  5. psytanium

    psytanium Well-Known Member

    Joined:
    Jun 6, 2014
    Messages:
    165
    Likes Received:
    7
    Trophy Points:
    18
    Location:
    Lebanon
    cPanel Access Level:
    Root Administrator
    Not any of my server IPs, my computer IP.
     
    #5 psytanium, May 15, 2019
  6. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,473
    Likes Received:
    505
    Trophy Points:
    263
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    The exim configuration setting as follows should allow the from header to be rewritten according to the actual sender:
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #6 cPanelLauren, May 16, 2019
  7. psytanium

    psytanium Well-Known Member

    Joined:
    Jun 6, 2014
    Messages:
    165
    Likes Received:
    7
    Trophy Points:
    18
    Location:
    Lebanon
    cPanel Access Level:
    Root Administrator
    Thank you I changed the Rewrite From: header to match actual sender to All
     
    #7 psytanium, May 17, 2019
  8. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    1,294
    Likes Received:
    91
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    Does 'EXPERIMENTAL: Rewrite From: header to match actual sender' have any effect on inbound traffic.
    I read elsewhere that this only affects outbound emails.
     
    #8 keat63, May 17, 2019
    psytanium likes this.
  9. psytanium

    psytanium Well-Known Member

    Joined:
    Jun 6, 2014
    Messages:
    165
    Likes Received:
    7
    Trophy Points:
    18
    Location:
    Lebanon
    cPanel Access Level:
    Root Administrator
    Good question
     
    #9 psytanium, May 17, 2019
  10. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,473
    Likes Received:
    505
    Trophy Points:
    263
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #10 cPanelLauren, May 17, 2019
  11. psytanium

    psytanium Well-Known Member

    Joined:
    Jun 6, 2014
    Messages:
    165
    Likes Received:
    7
    Trophy Points:
    18
    Location:
    Lebanon
    cPanel Access Level:
    Root Administrator
    The IP is not related to my PC or server.
     
    #11 psytanium, May 17, 2019
  12. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,473
    Likes Received:
    505
    Trophy Points:
    263
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    In that case the exim filter info I linked might be useful, but it could be cumbersome to implement
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #12 cPanelLauren, May 17, 2019
(You must log in or sign up to post here.)
Loading...
Similar Threads - find source email
  1. martin MHC

    Excessive Resource usage by PHP : How to find the exact cause?

    martin MHC, Oct 5, 2017, in forum: General Discussion
    Replies:
    9
    Views:
    3,620
    cPanelMichael
    Oct 10, 2017
  2. Logesh K

    How to find which account is crawled by Bots?

    Logesh K, Jul 7, 2019, in forum: Workarounds and Optimization
    Replies:
    2
    Views:
    148
    Logesh K
    Jul 17, 2019 at 12:33 PM
  3. martin MHC

    How to find/list data on all server users

    martin MHC, Jul 5, 2019, in forum: General Discussion
    Replies:
    10
    Views:
    376
    cPanelLauren
    Jul 9, 2019
  4. stronciy

    Find email that generated massive POP3 traffic

    stronciy, Jul 4, 2019, in forum: E-mail Discussion
    Replies:
    3
    Views:
    217
    cPanelLauren
    Jul 5, 2019
  5. Michael-Inet

    upcp error - "E [/usr/local/cpanel/scripts/find_outdated_services] "

    Michael-Inet, Jun 26, 2019, in forum: General Discussion
    Replies:
    1
    Views:
    204
    cPanelMichael
    Jun 27, 2019

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...
    Dismiss Notice