Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

How to find the source of this email

Discussion in 'E-mail Discussion' started by psytanium, May 15, 2019.

  1. psytanium

    psytanium Well-Known Member

    Joined:
    Jun 6, 2014
    Messages:
    165
    Likes Received:
    7
    Trophy Points:
    18
    Location:
    Lebanon
    cPanel Access Level:
    Root Administrator
    Hello,

    I always receive spams with nonsense content, I block or delete it, but I would like to know the source of the sender of this email:

    Code:
    Return-Path: <[email protected]>
    Delivered-To: [email protected]
    Received: from server.mydomain.com
    by server.mydomain.com with LMTP
    id 6AhZMzKy21zIcAAAAm/+cA
    (envelope-from <[email protected]>)
    for <[email protected]>; Wed, 15 May 2019 09:31:14 +0300
    Return-path: <[email protected]>
    Envelope-to: [email protected]
    Delivery-date: Wed, 15 May 2019 09:31:14 +0300
    Received: from [154.126.169.202] (port=30621)
    by server.mydomain.com with esmtp (Exim 4.91)
    (envelope-from <[email protected]>)
    id 1hQnRa-0007pT-HC
    for [email protected]; Wed, 15 May 2019 09:31:14 +0300
    Message-ID: <[email protected]>
    Date: Wed, 15 May 2019 07:33:49 +0000
    From: <[email protected]>
    User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:6.0) Gecko/20110812 Thunderbird/6.0
    MIME-Version: 1.0
    To: <[email protected]>
    Subject: Frauders known your old passwords. Access data must be changed.
    Content-Type: text/plain; charset=CP-850; format=flowed
    Content-Transfer-Encoding: 8bit

    Is it coming from my server ?
     
    #1 psytanium, May 15, 2019
    Last edited by a moderator: May 15, 2019
  2. m.eid

    m.eid Well-Known Member

    Joined:
    Jun 4, 2014
    Messages:
    53
    Likes Received:
    7
    Trophy Points:
    83
    Location:
    Jordan
    cPanel Access Level:
    Root Administrator
    Twitter:
    I've received such that many times received to my clients signed by their domains as both sender and receivers, actually I've searched hard about that, they may using a hole in a script in your host, where they will say they had hacked your email but just ignore them and scan your host and apps there to find any vulnerabilities.
     
  3. psytanium

    psytanium Well-Known Member

    Joined:
    Jun 6, 2014
    Messages:
    165
    Likes Received:
    7
    Trophy Points:
    18
    Location:
    Lebanon
    cPanel Access Level:
    Root Administrator
    But here should be a way to know where is it coming from, maybe by searching the exim log using a query in a command.
     
  4. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    1,294
    Likes Received:
    91
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    Do you recognise 154.126.169.202
     
  5. psytanium

    psytanium Well-Known Member

    Joined:
    Jun 6, 2014
    Messages:
    165
    Likes Received:
    7
    Trophy Points:
    18
    Location:
    Lebanon
    cPanel Access Level:
    Root Administrator
    Not any of my server IPs, my computer IP.
     
  6. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,473
    Likes Received:
    505
    Trophy Points:
    263
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    The exim configuration setting as follows should allow the from header to be rewritten according to the actual sender:
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. psytanium

    psytanium Well-Known Member

    Joined:
    Jun 6, 2014
    Messages:
    165
    Likes Received:
    7
    Trophy Points:
    18
    Location:
    Lebanon
    cPanel Access Level:
    Root Administrator
    Thank you I changed the Rewrite From: header to match actual sender to All
     
  8. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    1,294
    Likes Received:
    91
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    Does 'EXPERIMENTAL: Rewrite From: header to match actual sender' have any effect on inbound traffic.
    I read elsewhere that this only affects outbound emails.
     
    psytanium likes this.
  9. psytanium

    psytanium Well-Known Member

    Joined:
    Jun 6, 2014
    Messages:
    165
    Likes Received:
    7
    Trophy Points:
    18
    Location:
    Lebanon
    cPanel Access Level:
    Root Administrator
    Good question
     
  10. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,473
    Likes Received:
    505
    Trophy Points:
    263
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  11. psytanium

    psytanium Well-Known Member

    Joined:
    Jun 6, 2014
    Messages:
    165
    Likes Received:
    7
    Trophy Points:
    18
    Location:
    Lebanon
    cPanel Access Level:
    Root Administrator
    The IP is not related to my PC or server.
     
  12. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,473
    Likes Received:
    505
    Trophy Points:
    263
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    In that case the exim filter info I linked might be useful, but it could be cumbersome to implement
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice