The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Setting up an email filter

Discussion in 'E-mail Discussions' started by DigiCrime, Feb 29, 2012.

  1. DigiCrime

    DigiCrime Well-Known Member

    Joined:
    Nov 27, 2002
    Messages:
    399
    Likes Received:
    0
    Trophy Points:
    16
    Email from the queue

    1S2oDu-0001VR-9Q-H
    mailnull 47 12
    <legituser@onmyserver.com>
    1330539958 0
    -helo_name 263.ent
    -host_address 112.67.126.249.25032
    -host_auth courier_login
    -interface_address myipaddress.25
    -received_protocol esmtpa
    -body_linecount 17
    -max_received_linelength 76
    -auth_id legituser@onmyserver.com
    -deliver_firsttime
    -host_lookup_failed
    XX
    11
    491311898@qq.com
    466375310@qq.com
    466804934@qq.com
    457243603@qq.com
    472221816@qq.com
    474168424@qq.com
    479131696@qq.com
    494209030@qq.com
    454231053@qq.com
    511929102@qq.com
    459756939@qq.com

    193P Received: from [112.67.126.249] (helo=263.ent)
    by myservershostname.com with esmtpa (Exim 4.69)
    (envelope-from <legituseronmyserver@legitdomain>)
    id 1S2oDu-0001VR-9Q; Wed, 29 Feb 2012 12:25:58 -0600
    055I Message-ID: <61970608144F4549D0FE85F51E6BDB9C@263.ent>
    055F From: =?gb2312?B?yO654sTc?= <legituseronmyserver@legitdomain>
    233T To: <491311898@qq.com>,
    <466375310@qq.com>,
    <466804934@qq.com>,
    <457243603@qq.com>,
    <472221816@qq.com>,
    <474168424@qq.com>,
    <479131696@qq.com>,
    <494209030@qq.com>,
    <454231053@qq.com>,
    <511929102@qq.com>,
    <459756939@qq.com>
    031 Subject: =?gb2312?B?tszP+8+i?=
    037 Date: Thu, 1 Mar 2012 02:25:55 +0800
    018 MIME-Version: 1.0
    044 Content-Type: text/plain;
    charset="gb2312"
    034 Content-Transfer-Encoding: base64
    014 X-Priority: 1
    024 X-MSMail-Priority: High
    051 X-Mailer: Microsoft Outlook Express 6.00.2900.5512
    057 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5512

    Been so long since I troubleshooted an email issue. Looks to me like an inbound email, hijacked an open relay just so happens the user is using someones legit email address as the sender so they are getting bounce backs and of course wondering why. I usually overlook this stuff when its something that happens maybe a couple times a year but this is going on everyday of the week around 10am central time to 12 central time so it probably will continue for a while but in the interim -- What kind of filter can I apply to auto delete the email bounce backs so their inbox is not getting full?
     
  2. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    As far as I'm aware, this line indicates that the user logged in for this message:

    So this was sent using Microsoft Outlook by someone who appears to have authenticated before sending it out. It doesn't appear to be a bounce back and, since email cannot be openly relayed unless you've whitelisted the IP or domain sending off the server, this means it had to be authenticated.
     
  3. DigiCrime

    DigiCrime Well-Known Member

    Joined:
    Nov 27, 2002
    Messages:
    399
    Likes Received:
    0
    Trophy Points:
    16
    I seen that but I looked in their sent box nothing was there, the Xmailer shows Microsoft Outlook so they must of used pop so if the person authenticated as them I dont see the logouts in my cron report that I get everyday. It does show it came from my server and its bouncing back because of the other end is rejecting it so they must of guessed their password. This persons account is actually supposed to be a forwarder according to the client, not an actual account

    greaaaaaat...
     
  4. jgreenwood

    jgreenwood Registered

    Joined:
    Mar 2, 2012
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    I had same problem today ... same qq.com email addresses .. over 300 bounce-back undeliverables and they keep coming every 60 seconds or so .. here's reply from my host tech support:

    Hello Joe,

    I have investigate this issue and found that your mailbox info@itsyourrhythm.com was hacked.
    I changed password for this account and cleared mail queue.
    I recommend you change all passwords for all mailboxes via cPanel.
    Please use more strong passwords.

    Thank you.
     
Loading...

Share This Page