luca.sartori

Member
Jul 18, 2014
9
0
1
Udine, Italy, Italy
cPanel Access Level
Root Administrator
I have tons of mails sent from users: "-remote-"
I think my server could be compromised but I'm unsure on what to do or what is causing the issue.
It seems to me that mails are sent from local uer authenticating to my local exim.
My server is not relaying, could it be a php script? :confused:
Can anybody help me?
 

luca.sartori

Member
Jul 18, 2014
9
0
1
Udine, Italy, Italy
cPanel Access Level
Root Administrator
Additional detail:
There is an header of a spam email:

Code:
Date:	
Fri, 18 Jul 2014 23:13:37 +0800
From:	
"Daily Health eAlert" <[email protected]>
To:	
[email protected]
Subject:	
What happened to me within a season is a miracle!
Content-Type:	
multipart/alternative;
 boundary="----=_Part_68016_1213225342.3282929346909"
Delivery-date:	
Fri, 18 Jul 2014 17:13:40 +0200
Envelope-to:	
[email protected]
Errors-To:	
[email protected]
List-Unsubscribe:	
<https://domain.com.sg/app/optOut/noConfirm/195947953/164239934093b4c8>
Message-ID:	
<214697[email protected]sg>
MIME-Version:	
1.0
Received:	
from [10.0.0.147] ([10.0.0.147:7153] helo=103-11-51-210.domain.com.sg)
 by 715FAF88 (envelope-from <[email protected]>)
 (ecelerity 3.5.1.37854 r(Momo-dev:3.5.1.0)) with ESMTP
 id D5/DC-5BBC6-DCE97352; Fri, 18 Jul 2014 23:13:42 +0800
Received:	
from [103.11.51.210] (port=39215 helo=103-11-51-210.domain.com.sg)
 by MYSERVER with esmtp (Exim 4.82)
 (envelope-from <[email protected]>)
 id 1X89qu-0007G4-7r
 for [email protected]; Fri, 18 Jul 2014 17:13:40 +0200
Return-path:	
<[email protected]>
Sender:	
[email protected]
 
Last edited by a moderator:

kdean

Well-Known Member
Oct 19, 2012
377
65
78
Orlando, FL
cPanel Access Level
Root Administrator
-remote- generally indicates mails being sent to users on your server... all your incoming emails. This is normal unless you're seeing something else suspicious.
 

luca.sartori

Member
Jul 18, 2014
9
0
1
Udine, Italy, Italy
cPanel Access Level
Root Administrator
There is an example of header I've from one of the spammy mail:
MYDOMAIN is one of my domains on MYSERVER but the user e2c418134 obviusly does not exist.
[email protected] is a very souspicios sender, and domain.net is NOT one of my domains!

Amd I think it's suspect that: Message-ID:
<[email protected]ns.domain.net>

I've disabled relaying,
Discard FormMail-clone message with bcc: ON
Mail authentication via domain owner password: OFF
Track email origin via X-Source email headers: ON
Restrict outgoing SMTP to root, exim, and mailman (FKA SMTP Tweak): ON
Prevent “nobody” from sending mail: ON
Add X-PopBeforeSMTP header for mail sent via POP-before-SMTP: OFF

Code:
Date:	
Thu, 17 Jul 2014 19:28:59 +0300
From:	
"About Today" <[email protected]>
To:	
[email protected]
Subject:	
This product will become a sensation within month
Content-Type:	
multipart/alternative;
 boundary="----=_Part_85034_6015826504.4066855935910"
Delivery-date:	
Thu, 17 Jul 2014 18:29:00 +0200
Envelope-to:	
[email protected]
Errors-To:	
[email protected]
List-Unsubscribe:	
<https://domain.net/app/optOut/noConfirm/33997946/1c07569b776ad7ecc47d>
Message-ID:	
<[email protected]ns.domain.net>
MIME-Version:	
1.0
Received:	
from [10.0.0.78] ([10.0.0.78:1815] helo=maia-80fe7c2fd8.ddns.domain.net)
 by 2E193A31C (envelope-from <[email protected]>)
 (ecelerity 3.5.1.37854 r(Momo-dev:3.5.1.0)) with ESMTP
 id 39/7B-8D483-C58BCD29; Thu, 17 Jul 2014 19:29:08 +0300
Received:	
from 130-204-140-40.2073348467.ddns.domain.net ([130.204.140.40]:2058 helo=maia-80fe7c2fd8.ddns.domain.net)
 by MYSERVER with esmtp (Exim 4.82)
 (envelope-from <[email protected]>)
 id 1X7oYG-0003OB-6k
 for [email protected]; Thu, 17 Jul 2014 18:29:00 +0200
Return-path:	
<[email protected]>
Sender:	
[email protected]
 
Last edited by a moderator:

kdean

Well-Known Member
Oct 19, 2012
377
65
78
Orlando, FL
cPanel Access Level
Root Administrator
Looks like an incoming spam email to me. Spammers often send to addresses that don't exist. If there was a problem the To: field would not be going to your MYDOMAIN.

- - - Updated - - -

Also, if you're actually receiving the email even though it's sent to an email that doesn't exist you may want to log into your cPanel account and go to "Set Default Address" and set "Send all unrouted email" to "Discard with error to sender (at SMTP time)".
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
Hello :)

Ensure the "Default Address" in cPanel for this account is set to "Discard with error to sender (at SMTP time)" as mentioned in a previous post. This will ensure email sent to non-existent email accounts is automatically discarded.

Thank you.
 

luca.sartori

Member
Jul 18, 2014
9
0
1
Udine, Italy, Italy
cPanel Access Level
Root Administrator
Thanks, I'll follow your advices.
I'm only worried about one thing:
If my server discards with error to sender, it might become a backscatterer? I had this problem in the past and I'm not sure on how to avoid this problem.
Thank you again!
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
Thanks, I'll follow your advices.
I'm only worried about one thing:
If my server discards with error to sender, it might become a backscatterer? I had this problem in the past and I'm not sure on how to avoid this problem.
Thank you again!
You can search for the term "backscatter" on our forums and there are a few threads where users discuss potential solutions.

Thank you.
 
Thread starter Similar threads Forum Replies Date
brianc Email 6
T Email 2
T Email 2
P Email 3
Radio_Head Email 1