aarango

Member
PartnerNOC
Dec 4, 2013
7
0
1
cPanel Access Level
Root Administrator
Hello

From some days ago, in my queue (exim) I see a lot ofs email from accounts google to our accounts but using names of one domain inside my server (returned emails). I means:


Code:
#exim -Mvl 1VoYIi-000PnS-5L
2013-12-05 12:45:05 Received from <> R=1VoYIh-000PnE-TG U=mailnull P=local S=2881 T="Mail delivery failed: returning message to sender"
2013-12-05 12:45:09 SMTP error from remote mail server after RCPT TO:<[email protected]>: host aspmx.l.google.com [173.194.78.26]: 550-5.1.1 The email account that you tried to reach does not exist. Please try\n550-5.1.1 double-checking the recipient's email address for typos or\n550-5.1.1 unnecessary spaces. Learn more at\n550 5.1.1 http://support.google.com/mail/bin/a...py?answer=6596 bo12si1008868wib.66 - gsmtp
2013-12-05 12:45:09 [email protected] R=dkim_lookuphost T=dkim_remote_smtp: SMTP error from remote mail server after RCPT TO:<[email protected]>: host aspmx.l.google.com [173.194.78.26]: 550-5.1.1 The email account that you tried to reach does not exist. Please try\n550-5.1.1 double-checking the recipient's email address for typos or\n550-5.1.1 unnecessary spaces. Learn more at\n550 5.1.1 http://support.google.com/mail/bin/a...py?answer=6596 bo12si1008868wib.66 - gsmtp
*** Frozen (delivery error message)

#exim -Mvb 1VoYIi-000PnS-5L
Return-path: <[email protected]>
Received: from cpe-c83a353d88c8.cpe.cableonda.net ([190.219.233.231]:26822)
by server with esmtp (Exim 4.82)
(envelope-from <[email protected]>)
id 1VoYIh-000PnE-TG
for [email protected]; Thu, 05 Dec 2013 12:45:04 +0000
Received: from apache by kdlqijaimrrgkdadi.bmatter.com with local (Exim 4.63)
(envelope-from <<[email protected]>>)
id 9M089L-KIWFUF-ML
for <[email protected]>; Thu, 5 Dec 2013 07:48:37 -0500
To: <[email protected]>
Subject: Job offer match, respond to apply
Its seems that:
An account/website/ is infected, is sending emails with for<[email protected]>, after the returned emails go back account. The queue is around 1000 en 1 hour.

I can't how I can see it because its using user=mailnull, and I dont know which user is using.

Any help?
Best Regards
 

cPanelMichael

Technical Support Community Manager
Staff member
Apr 11, 2011
47,911
2,233
363
cPanel Access Level
DataCenter Provider
Twitter
Hello :)

Try opening one of the SPAM messages in the mail queue and see if the message headers provide you with any additional information. You can enable the following option under the "Mail" tab in "WHM >> Server Configuration >> Tweak Settings":

Code:
Track email origin via X-Source email headers
This may provide more information in the headers of future emails sent from the server. Also, the following document is helpful for preventing email abuse:

cPanel - Prevent Email Abuse

Thank you.