The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Is this correct EXIM IP address behaviour?

Discussion in 'E-mail Discussions' started by SpinIT, Jan 8, 2015.

  1. SpinIT

    SpinIT Member

    Joined:
    Jan 8, 2015
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    We had an issue where an email account was compromised due to a weak password and used to send out spam. However we found it strange that the IP address that ended up on blacklists was not the one that should have been sending the spam emails.

    For example,
    email@account.com was used to authenticate
    host.server.com is the server on IP xxx.xxx.xxx.123
    account.com was on IP xxx.xxx.xxx.456

    We had the exm setting enabled to send from the domains IP address, and can confirm that was working from the email headers when we tested. (Email sent normally from outlook or squirrelmail was sent from .456).

    During the spam attack they authenticated with email@account.com, and spoofed the email headers so it looked like spam was coming from info@host.server.com instead of the account that was used to authenticate.

    The IP address .123 ended up on the RBL black lists, and not .456.

    Is that how it should have worked? Shouldn't EXIM have been sending mail from .456 since thats the IP the email authenticating domain was logged into when creating the emails? Or can they just spoof the sending IP anyway?

    What do you think?
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    654
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    It depends on how the specific blacklist determined the offending IP address. It's possible that it used the IP address associated with the hostname of the mail server. You can check the message headers after sending a test message from the account to verify which IP address is used for sending.

    Thank you.
     
  3. SpinIT

    SpinIT Member

    Joined:
    Jan 8, 2015
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Fair enough, strange if the blacklists block the hostname though since most servers seem to check against the sending IP address. That would mean I can just have no accounts using the hostname IP and the spammer wouldn't actually get blocked.

    When I did a test email from the "hacked" account I verified that ..456 showed up as the sender IP.

    Wierd stuff!
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    654
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    You could consult with the specific blacklist publisher to determine what methods they use when adding IP addresses to their list.

    Thank you.
     
Loading...

Share This Page