How to find the source of this email

[psytanium]

Hello,

I always receive spams with nonsense content, I block or delete it, but I would like to know the source of the sender of this email:

Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: from server.mydomain.com
by server.mydomain.com with LMTP
id 6AhZMzKy21zIcAAAAm/+cA
(envelope-from <[email protected]>)
for <[email protected]>; Wed, 15 May 2019 09:31:14 +0300
Return-path: <[email protected]>
Envelope-to: [email protected]
Delivery-date: Wed, 15 May 2019 09:31:14 +0300
Received: from [154.126.169.202] (port=30621)
by server.mydomain.com with esmtp (Exim 4.91)
(envelope-from <[email protected]>)
id 1hQnRa-0007pT-HC
for [email protected]; Wed, 15 May 2019 09:31:14 +0300
Message-ID: <[email protected]>
Date: Wed, 15 May 2019 07:33:49 +0000
From: <[email protected]>
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:6.0) Gecko/20110812 Thunderbird/6.0
MIME-Version: 1.0
To: <[email protected]>
Subject: Frauders known your old passwords. Access data must be changed.
Content-Type: text/plain; charset=CP-850; format=flowed
Content-Transfer-Encoding: 8bit

Is it coming from my server ?

 

[m.eid]

I've received such that many times received to my clients signed by their domains as both sender and receivers, actually I've searched hard about that, they may using a hole in a script in your host, where they will say they had hacked your email but just ignore them and scan your host and apps there to find any vulnerabilities.

 

[psytanium]

But here should be a way to know where is it coming from, maybe by searching the exim log using a query in a command.

 

[keat63]

Do you recognise 154.126.169.202

 

[psytanium]

Do you recognise 154.126.169.202

Not any of my server IPs, my computer IP.

 

[cPanelLauren]

The exim configuration setting as follows should allow the from header to be rewritten according to the actual sender:

EXPERIMENTAL: Rewrite From: header to match actual sender
If you enabled this option, the From: header will be rewritten to be the email address of the actual message sender. If you choose the "remote" option, only messages that are being sent to remote destinations will be affected.

 

[psytanium]

Thank you I changed the Rewrite From: header to match actual sender to All

 

[keat63]

Does 'EXPERIMENTAL: Rewrite From: header to match actual sender' have any effect on inbound traffic.
I read elsewhere that this only affects outbound emails.

 

[psytanium]

Good question

 

[cPanelLauren]

@keat63 you're right: How to Prevent Email Abuse - cPanel Knowledge Base - cPanel Documentation

This whole time I'd thought it was doing both!

This becomes a bit more complicated with email that originates remotely:

Exim filter to rewrite 'From' address on certain incoming mail

Not any of my server IPs, my computer IP.

Are you saying that it is your computer's IP or it isn't any IP in relation to you?

 

[psytanium]

The IP is not related to my PC or server.

 

[cPanelLauren]

In that case the exim filter info I linked might be useful, but it could be cumbersome to implement