Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Spam email from self

Discussion in 'E-mail Discussion' started by levelmeasure, Aug 9, 2018.

  1. levelmeasure

    levelmeasure Registered

    Joined:
    Aug 9, 2018
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    USA
    cPanel Access Level:
    Reseller Owner
    I have a reseller account at a host with several client domains. One client has a number of email addresses that are getting email from themselves, containing spam.

    From what I can tell, these emails are being passed as example from my parent host's servers (the company I buy my reseller account from).

    Why don't these fail to authenticate when the fake sender sends, AND/OR when the real sender receives?

    How do I keep other people from sending email through my client's account?

    Example of Message Source in a fake email (names & numbers changed to protect privacy)
    Code:
    Return-Path: <myclient@example.com>
    Delivered-To: myclient@example.com
    Received: from rs2.parentserver.com
        by rs2.parentserver.com with LMTP id EiEiEi0
        for <myclient@example.com>; Wed, 08 Aug 2018 17:19:32 -0400
    Return-path: <myclient@example.com>
    Envelope-to: myclient@example.com
    Delivery-date: Wed, 08 Aug 2018 17:19:32 -0400
    Received: from adsl-001.001.001.001.bogus.gr ([002.002.002.002]:10500)
        by rs2.parentserver.com with esmtp (Exim 4.91)
        (envelope-from <myclient@example.com>)
        id 3c3c3c3c3c3c-OT
        for myclient@example.com; Wed, 08 Aug 2018 17:19:32 -0400
    Message-ID: <001b0ddd5bbb@cmkky2by>
    From: <myclient@example.com>
    To: <myclient@example.com>
    Subject: Welcome to our company
    Date: 9 Aug 2018 02:05:48 +0200
    MIME-Version: 1.0
    Content-Type: text/plain;
        charset="cp-850"
    Content-Transfer-Encoding: 8bit
    X-Priority: 3
    X-MSMail-Priority: Normal
    X-Mailer: Microsoft Outlook Express 6.00.2600.0000
    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
    In track delivery the acceptance looks like this (changes to names & numbers)
    Code:
    Event:    success success
    User:    -remote-
    Domain:  
    From Address:    myclient@example.com
    Sender:  
    Sent Time:    Aug 8, 2018, 4:19:16 PM
    Sender Host:    adsl-001.001.001.001.bogus.gr
    Sender IP:    002.002.002.002
    Authentication:    localdelivery
    Spam Score:  
    Recipient:    myclient@example.com
    Delivery User:    myclientrealusername
    Delivery Domain:    example.com
    Delivered To:    myclient@example.com
    Router:    virtual_user
    Transport:    dovecot_virtual_delivery
    Out Time:    Aug 8, 2018, 4:19:16 PM
    ID:    3c3c3c3c3c3c-OT
    Delivery Host:    localhost
    Delivery IP:    100.0.0.1
    Size:    1.66 KB
    Result:    Accepted
     
    #1 levelmeasure, Aug 9, 2018
    Last edited by a moderator: Oct 25, 2018
  2. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    4,185
    Likes Received:
    302
    Trophy Points:
    193
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @levelmeasure

    Does your client have a valid SPF and DKIM? What your describing sounds a bit like spoofing.


    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. levelmeasure

    levelmeasure Registered

    Joined:
    Aug 9, 2018
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    USA
    cPanel Access Level:
    Reseller Owner
    Yes, SPF and DKIM are configured. The email server does not recognize it as coming from an unauthorized sender. It gets passed through as really having come from the recipient's own email account. My concern is not knowing who else is getting email that appears to come from my client.

    Thanks
     
  4. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    4,185
    Likes Received:
    302
    Trophy Points:
    193
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Can you please open a ticket using the link in my signature? Once open please reply with the Ticket ID here so that we can update this thread with the resolution once the ticket is resolved.


    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. ProDesignz

    ProDesignz Member

    Joined:
    Mar 16, 2015
    Messages:
    13
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Hi I'm facing the same issue and my client is very serious about this. Client had zimbra before and Now on my recommendation they switch to cPanel.
    Please help me cause this is very frequent now. We had changed passwords and there is only SSH connection is enabled on server.
    Below is email header

    Code:
    Return-Path: <kerul@example.com>
    Delivered-To: kerul@example.com
    Received: from mail.example.com
        by mail.example.com with LMTP id 0BBZJZ5X0Vu0CQAAM3BfSA
        for <kerul@example.com>; Thu, 25 Oct 2018 11:11:50 +0530
    Return-path: <kerul@example.com>
    Envelope-to: kerul@example.com
    Delivery-date: Thu, 25 Oct 2018 11:11:50 +0530
    Received: from [103.x.x.x] (port=56315 helo=[90.161.20.38])
        by mail.example.com with esmtp (Exim 4.91)
        (envelope-from <kerul@example.com>)
        id 1gFYOy-0000lo-Ff
        for kerul@example.com; Thu, 25 Oct 2018 11:11:50 +0530
    From: <kerul@example.com>
    To: <kerul@example.com>
    Subject: account kerul@example.com is compromised
    Date: 25 Oct 2018 08:22:47 +0100
    Message-ID: <002d01d46c36$023a8f7b$bbdf978a$@example.com>
    MIME-Version: 1.0
    Content-Type: text/plain;
        charset="ibm852"
    Content-Transfer-Encoding: 8bit
    X-Mailer: Microsoft Office Outlook 12.0
    Thread-Index: Acjhjwjwwb06j869jhjwjwwb06j869==
    Content-Language: en
    x-cr-hashedpuzzle: 2D4= i2f4 r6sl qkom mci2 f4r6 slqk ommc i2f4 r6sl qkom mci2 f4r6 slqk ommc i2f4;1;r6slqkommci2f4r6slqkommci2f4r6slqkommci2f4r6slqk;Sosha1_v1;7;\{AD9937D4-1B03-7AF8-CC62-90A274F27046\};ZQB3AGUAZgi2f4r6slqkommci2f4r6slqkommci2f4r6slqk;25 Oct 2018 08:22:47 +0100;92aea0fbvpfmxk92
    x-cr-puzzleid: \{AD9937D4-1B03-7AF8-CC62-90A274F27046\}
    X-Spam-Status: No, score=1.2
    X-Spam-Score: 12
    X-Spam-Bar: +
    X-Ham-Report: Spam detection software, running on the system "mail.example.com",
        has NOT identified this incoming email as spam. The original
        message has been attached to this so you can view it or label
        similar future email. If you have any questions, see
        root\@localhost for details.
        Content preview: Hello! I'm a hacker who cracked your email and device a few
        months ago. You entered a password on one of the sites you visited, and I
        intercepted it. Of course you can will change it, or already change
        Content analysis details: (1.2 points, 5.0 required)
        pts rule name description
        ---- ---------------------- --------------------------------------------------
        -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP
        0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
        See
        http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
        for more information.
        [URIs: example.com]
        2.0 PYZOR_CHECK Listed in Pyzor (https://pyzor.readthedocs.io/en/latest/)
        0.0 FSL_BULK_SIG Bulk signature with no Unsubscribe
        0.2 FROM_IN_TO_AND_SUBJ From address is in To and Subject
    X-Spam-Flag: NO

    Please give some solution to this.
     
    #5 ProDesignz, Oct 25, 2018
    Last edited by a moderator: Oct 25, 2018
  6. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    4,185
    Likes Received:
    302
    Trophy Points:
    193
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hello @ProDesignz


    Are either of these your IP address?

    Code:
    Received: from [103.x.x.x] (port=56315 helo=[90.161.xx.xx])
    
    Also can you show me the output of the transaction in the exim logs? The command to do this would be:

    Code:
    exigrep 1gFYOy-0000lo-Ff /var/log/exim_mainlog
    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #6 cPanelLauren, Oct 25, 2018
    Last edited by a moderator: Oct 27, 2018
  7. ProDesignz

    ProDesignz Member

    Joined:
    Mar 16, 2015
    Messages:
    13
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    India
    cPanel Access Level:
    Root Administrator
    103.x.x.x is our Server's IP address, while 90.161.xx.xx is not our server IP, it is spammer's IP address.

    Here is a exim log
    Code:
    2018-10-25 11:11:50 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1gFYOy-0000lo-Ff
    
    2018-10-25 11:11:48 1gFYOy-0000lo-Ff H=([90.161.xx.xx]) [103.50.xxx.xx]:56315 Warning: Message has been scanned: no virus or other harmful content was found
    2018-10-25 11:11:50 1gFYOy-0000lo-Ff H=([90.161.xx.xx]) [103.50.xxx.xx]:56315 Warning: "SpamAssassin as example detected message as NOT spam (1.2)"
    2018-10-25 11:11:50 1gFYOy-0000lo-Ff <= someusr@example.com H=([90.161.xx.xx]) [103.50.xxx.xx]:56315 P=esmtp S=4510 id=002d01d46c36$023a8f7b$bbdf978a$@example.com T="account someusr@example.com is compromised" for someusr@example.com
    2018-10-25 11:11:50 1gFYOy-0000lo-Ff SMTP connection identification D=example.com O=someusr@example.com E=someotherusr@example.in M=1gFYOy-0000lo-Ff U=example ID=1000 B=redirect_resolver
    2018-10-25 11:11:50 1gFYOy-0000lo-Ff Sender identification U=example D=example.com S=someusr@example.com
    2018-10-25 11:11:50 1gFYOy-0000lo-Ff SMTP connection outbound 1540446110 1gFYOy-0000lo-Ff example.com someotherusr@example.in
    2018-10-25 11:11:50 1gFYOy-0000lo-Ff => someusr <someusr@example.com> R=virtual_user T=dovecot_virtual_delivery C="250 2.0.0 <someusr@example.com> 0BBZJZ5X0Vu0CQAAM3BfSA Saved"
    2018-10-25 11:11:52 1gFYOy-0000lo-Ff => someusr@example.com (someusr@example.com) <someusr@example.com> R=dkim_lookuphost T=dkim_remote_smtp H=aspmx.l.google.com [74.125.68.26] X=TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128 CV=yes C="250 2.0.0 OK 1540446112 u10-v6si7275955pgg.180 - gsmtp"
    2018-10-25 11:11:52 1gFYOy-0000lo-Ff Completed
    
     
    #7 ProDesignz, Oct 25, 2018
    Last edited by a moderator: Oct 27, 2018
  8. ProDesignz

    ProDesignz Member

    Joined:
    Mar 16, 2015
    Messages:
    13
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    India
    cPanel Access Level:
    Root Administrator
    One more thing, the same thing is happening to another email server. Both servers are in different zones and nothing to do with this client. So, please give some solution to stop this kind of spam.
     
  9. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    4,185
    Likes Received:
    302
    Trophy Points:
    193
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  10. ProDesignz

    ProDesignz Member

    Joined:
    Mar 16, 2015
    Messages:
    13
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    India
    cPanel Access Level:
    Root Administrator
    @cPanelLauren
    These are all from different IP addresses, I can create filter to limit them based on subject or if from address = to address but it is actually not a full proof solution. It is kinda patch work. I wonder that we have enabled SMTP authentication, even though they are able to make such spamming. Is there anything else other than creating filters to prevent such kinda spam emails?
     
    #10 ProDesignz, Oct 27, 2018
    Last edited by a moderator: Oct 27, 2018
  11. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    4,185
    Likes Received:
    302
    Trophy Points:
    193
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @ProDesignz

    Do you have SPF & DKIM implemented on the domain/s you're receiving this on? I am still concerned about the fact that it's not getting flagged as spam as it's not actually originating from your IP address.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  12. ProDesignz

    ProDesignz Member

    Joined:
    Mar 16, 2015
    Messages:
    13
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Hi @cPanelLauren
    We have SPF & DKIM implemented and still it continues, please look into this matter as now customers are feeling insecure.
     
  13. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    1,020
    Likes Received:
    405
    Trophy Points:
    113
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    If you have implemented correctly set DKIM and SPF records, and mail with spoofed headers are not being flagged as spam, you may need to adjust your Spamassassin filters, or user, or global filters for the domain.

    Spam and spoofing email headers like the from address has been around almost as long as email has existed, and everyone has been struggling to solve the problem by adding more and more layers to the protocol like RBL, SPF, DKIM and DMARC. This is far from being a complete solution, and what is really needed is a complete overhaul of the email systems and protocols.

    cPanel do not write the email protocol or system, they use the existing industry standard tools and daemons and attempt to make your interaction with those tools easier by providing a graphical user interface (and for the most part, do an excellent job as well) so don't blame, or expect cPanel to be able to do very much about your problem of spoofed email headers.

    Since the problem you are facing is a global one, the first mitigation can be by educating your users how to spot these obvious fraudulent emails.


    As to filters; I should very much like to see an easy way of introducing some new Exim rules

    e.g. If the from address matches the to address; test to establish and reject/flag as spam, if the sender user was 'remote' rather than a local or a known username within WHM.

    I haven't had enough coffee yet to start writing a rule that might work for the above scenario, so if anyone wants to chip in, any contributions would be welcome :)

    **EDIT **

    Still not enough coffee but I have got
    Code:
    # Exim Filter
    # Spoofed From
    if first_delivery
    $h_from: matches $h_to and
    (sender user (need a variable for this) matches "remote")
    then
    seen finish
    endif
    DO NOT TRY AND RUN THIS CODE - IT IS ONLY A FLOW CONCEPT AND IS NOT FINISHED AND MAY BREAK YOUR EXIM

    This is intended to try to explain the direction I wanted to move towards with an exim filter. Please contribute, or maybe a moderator would like to split this off into a new thread.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #13 rpvw, Nov 3, 2018
    Last edited: Nov 3, 2018
    cPanelLauren likes this.
  14. ProDesignz

    ProDesignz Member

    Joined:
    Mar 16, 2015
    Messages:
    13
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Hi @rpvw

    Thanx for the practical solution :)

    Anyone like me who facing this issue please follow the given steps. This is not permanent solution, it is work around.

    Step 1 Create Custom Filter File

    Code:
    if $header_from matches $header_to
            and ($sender_host_address does not matches "134.xx.xx.xx")
            then
                save "/dev/null" 660
    endif
    Step 2 upload it to
    /usr/local/cpanel/etc/exim/sysfilter/options

    Step 3 Then Rebuild Exim Conf
    execute /scripts/buildeximconf
     
  15. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    1,020
    Likes Received:
    405
    Trophy Points:
    113
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    Thank you @ProDesignz for the code.

    Based on the theory that the sender_host_address will be empty if the message originated on the local host (server), and populated with the IP of the remote host if originated by someone trying to spoof the address, I would like to think that some better rule without a specific IP would be possible by testing for an empty string

    It's making my head hurt :(
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #15 rpvw, Nov 3, 2018
    Last edited: Nov 3, 2018
    cPanelLauren likes this.
  16. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    4,185
    Likes Received:
    302
    Trophy Points:
    193
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    I'm glad that you were able to find a solution that worked for you @ProDesignz though I do want to point out that a rule like the one implemented here may not work for everyone. As indicated by @rpvw you may want to go with a solution that doesn't make use of a specific IP address.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  17. ProDesignz

    ProDesignz Member

    Joined:
    Mar 16, 2015
    Messages:
    13
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    India
    cPanel Access Level:
    Root Administrator
    @cPanelLauren , no luck :(
    Now he change something from his end and sending same messages again. Even this time he is able to bypass the rule I set as Sender Host IP address is different but still able to send email.

    Please give some solid solution to prevent such kind of spams.

    Following is the Header of email.

    Code:
    Return-Path: <kerul@mydomain.com>
    Delivered-To: kerul@mydomain.com
    Received: from mail.mydomain.com
        by mail.mydomain.com with LMTP id SBA8EaYL4FtcFQAAM3BfSA
        for <kerul@mydomain.com>; Mon, 05 Nov 2018 14:51:42 +0530
    Return-path: <kerul@mydomain.com>
    Envelope-to: kerul@mydomain.com
    Delivery-date: Mon, 05 Nov 2018 14:51:42 +0530
    Received: from [xxx.xxx.xxx.xxx] (port=34552 helo=[181.75.107.32])
        by mail.mydomain.com with esmtp (Exim 4.91)
        (envelope-from <kerul@mydomain.com>)
        id 1gJb4k-0001Pi-HN
        for kerul@mydomain.com; Mon, 05 Nov 2018 14:51:42 +0530
    Message-ID: <5426EB2BC199E60173BE7E94CCB35426@WP419JBE2G>
    From: <kerul@mydomain.com>
    To: <kerul@mydomain.com>
    Subject: Change your password immediately. Your account has been hacked.
    Date: 6 Nov 2018 01:50:32 +0800
    MIME-Version: 1.0
    Content-type: text/plain;
        charset="ibm852"
    Content-transfer-encoding: 8bit
    X-Priority: 3
    X-MSMail-Priority: Normal
    X-Mailer: Microsoft Outlook Express 6.00.2900.5931
    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5994
    X-Spam-Status: No, score=1.0
    X-Spam-Score: 10
    X-Spam-Bar: +
    X-Ham-Report: Spam detection software, running on the system "mail.mydomain.com",
        has NOT identified this incoming email as spam. The original
        message has been attached to this so you can view it or label
        similar future email. If you have any questions, see
        root\@localhost for details.
        Content preview: I greet you! I have bad news for you. 11/08/2018 - on this
        day I hacked your operating system and got full access to your account kerul@mydomain.com
        It is useless to change the password, my m
        Content analysis details: (1.0 points, 5.0 required)
        pts rule name description
        ---- ---------------------- --------------------------------------------------
        -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP
        0.0 DATE_IN_FUTURE_06_12 Date: is 6 to 12 hours after Received: date
        0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
        See
        http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
        for more information.
        [URIs: mydomain.com]
        2.0 PYZOR_CHECK Listed in Pyzor (https://pyzor.readthedocs.io/en/latest/)
        0.0 FSL_BULK_SIG Bulk signature with no Unsubscribe
    X-Spam-Flag: NO
     
    Bill_H likes this.
  18. Bill_H

    Bill_H Registered

    Joined:
    Nov 18, 2018
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Delaware
    cPanel Access Level:
    Root Administrator
    I have to agree that this is ridiculous that there is no way to stop these type of spam emails from being bounced off the server.

    We need a SOLID SOLUTION!
     
  19. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    1,020
    Likes Received:
    405
    Trophy Points:
    113
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    Indeed we do, but I am not sure that cPanel are in a position to provide it :(

    I have been working on this Exim filter since this thread was opened, and have encountered the following issues, all caused by the way that Exim processes filter rules.

    If we start from the premise that we need to compare the From address to the To address, and then check to see if the sender_host_address is empty or not we can create some sudo code like this:
    Code:
    # Exim Filter
    # Spoofed From Address
    if first_delivery
    and ("$header_from:" matches "$header_to:")
    and ("$sender_host_address:" is "")
    then deliver
    else
    seen finish
    endif
    Now the problems as I see it are these (and I would love someone to tell me I am wrong, and that there is a better way of doing this)

    1) Exim does not seem to be able to compare one variable against another; so it can compare eg "$header_from:" matches "name@email.tld" but not "$header_from:" matches "$header_to:" as it expands the second variable literally and does not replace it with the content of the variable. This would limit one to having to make a filter per address rather than a global filter.

    2) There is no clear way I have found of testing for an empty string. Exim can use "is/is not" or "contains/does not contain" or "matches/does not match" in the string comparison once both strings have been expanded. Since we ideally need to look for an string that is not empty in the $sender_host_address: variable (which is always empty if the from/to actually originates on the same server) and we have no idea what the string might be if it is a spoofed message, other than it will contain an IP and probably other information, we need to either test for a empty string OR test (contains) for a regex that would encompass anything that might populate the variable. This should be a Perl compatible regex, but so far, I have been unable to write one that is 100% reliable.

    So if anyone has any ideas, please add then to the thread. I should prefer to get rid of the "else" line in the code and keep it simple, but I am not sure this will be possible, even if we can overcome the comparison of one string variable to another in the first place.

    Again, whilst I do recognise the need for some filter of this nature, I don't think it is necessarily up to cPanel to provide it. If they can help us, that would be fantastic, but I also note that such a fundamental filter should be available from dozens/hundreds of sources on the internet if it were possible to achieve using the current Exim filters - the very fact that there are NO references to any such filter does somewhat reinforce my belief that it wont be possible under the current Exim filter rules.

    I wonder if we should be looking at creating a custom Spamassassin rule instead ?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  20. Spirogg

    Spirogg Active Member

    Joined:
    Feb 21, 2018
    Messages:
    29
    Likes Received:
    4
    Trophy Points:
    3
    Location:
    chicago
    cPanel Access Level:
    Root Administrator
    I am also getting this type of emails asking for randsome money ??

    i ran this code exigrep 1gOgoe-0003pl-Cw /var/log/exim_mainlog

    The IP is the spammers

    Code:
    [root@server1 ~]# exigrep 1gOgoe-0003pl-Cw /var/log/exim_mainlog
    2018-11-19 04:30:05 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1gOgoe-0003pl-Cw
    
    2018-11-19 04:30:05 1gOgoe-0003pl-Cw H=([37.106.108.86]) [37.106.108.86]:25230 Warning: "SpamAssassin as ok2 detected message as spam (19.6)"
    2018-11-19 04:30:05 1gOgoe-0003pl-Cw H=([37.106.108.86]) [37.106.108.86]:25230 Warning: Message has been scanned: no virus or other harmful content was found
    2018-11-19 04:30:05 1gOgoe-0003pl-Cw <= mnb@*****.com H=([37.106.108.86]) [37.106.108.86]:25230 P=esmtp S=5060 id=204B90CD4EFB161378A3FE7DC825204B@ok.com T="mnb@*****.com - this account has been hacked! Change all your passwords!" for mnb@*****.com
    2018-11-19 04:30:05 1gOgoe-0003pl-Cw => spiro <mnb@*****.com> R=virtual_user T=dovecot_virtual_delivery C="250 2.0.0 <mnb@*****.com> gJ8hHq2Q8lu7OQAAup1nGg Saved"
    2018-11-19 04:30:05 1gOgoe-0003pl-Cw Completed
     
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice