Spam email is sent using my own account

NestMan

Active Member
May 10, 2016
25
0
1
Utah
cPanel Access Level
Root Administrator
How is it that spammers are able to send email with the FROM: field using my email address? I only found out about it because the spammer put my address in the FROM and the TO fields, and them my server marked that email as spam:

The mail server detected your message as spam and has prevented delivery (31).

I have changed the password for this particular POP account, but the spam email continues to be bounce and come back to me. How are the spammers doing this?

Thank you!
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,908
2,216
463

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,908
2,216
463
Could you provide some additional information about these messages, such as the message header, and the corresponding entry in /var/log/exim_mainlog? Ensure you post the output in CODE tags, and remove any real domain names or IP addresses.

Thank you.
 

NestMan

Active Member
May 10, 2016
25
0
1
Utah
cPanel Access Level
Root Administrator
Yes, here is the full header:

Code:
Content-Type: multipart/report; report-type=delivery-status; boundary=1466770286-eximdsn-1804289383
Auto-Submitted: auto-replied
Mime-Version: 1.0
Envelope-To: [email protected]
Return-Path: <>
Delivery-Date: Fri, 24 Jun 2016 06:11:27 -0600
Message-Id: <[email protected]>
X-Failed-Recipients: [email protected]
Received: from mailnull by server.domain.com with local (Exim 4.87) id 1bGPxG-00083t-Rz for [email protected]; Fri, 24 Jun 2016 06:11:26 -0600
Mail delivery failed: returning message to sender
I can tail the main exim log for things happening in the moment, but I'm unsure how to find a transaction that happened several hours ago. Can I use the Mail Delivery Reports feature in WHM to find what you are looking for?

Thank you!!
 
Last edited:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,908
2,216
463
Yes, here is the full header:

Code:
Content-Type: multipart/report; report-type=delivery-status; boundary=1466770286-eximdsn-1804289383
Auto-Submitted: auto-replied
Mime-Version: 1.0
Envelope-To: [email protected]
Return-Path: <>
Delivery-Date: Fri, 24 Jun 2016 06:11:27 -0600
Message-Id: <[email protected]>
X-Failed-Recipients: [email protected]
Received: from mailnull by server.domain.com with local (Exim 4.87) id 1bGPxG-00083t-Rz for [email protected]; Fri, 24 Jun 2016 06:11:26 -0600
Mail delivery failed: returning message to sender
I can tail the main exim log for things happening in the moment, but I'm unsure how to find a transaction that happened several hours ago. Can I use the Mail Delivery Reports feature in WHM to find what you are looking for?

Thank you!!
You can search for a message via the command line with a command such as:

Code:
exigrep MSGID /var/log/exim_mainlog
Or, through "WHM >> Mail Delivery Reports". This option is documented at:

Mail Delivery Reports - Documentation - cPanel Documentation

Thank you.
 

NestMan

Active Member
May 10, 2016
25
0
1
Utah
cPanel Access Level
Root Administrator
Message-Id: <[email protected]>

Then I did the following at the prompt:

Code:
exigrep E1bGPxG-00083t-Rz /var/log/exim_mainlog
A few seconds later the prompt return, apparently nothing happened. Did I do this right? By the way, what exactly should I be looking for? This will solve the problem as to why spammers can send email and make it look like it came from my own POP account?


Thanks!
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,908
2,216
463
Hello,

You can search for the email address as well. For example:

Code:
exigrep [email protected] /var/log/exim_mainlog*
You are checking to see if the message came from your system, or if it was spoofed and remote server did not have SPF checking enabled. You may also find this thread helpful if you want to verify the messages aren't coming from a PHP script:

Find scripts responsible for sending out spam

Thank you.