Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Spam email is sent using my own account

Discussion in 'E-mail Discussion' started by NestMan, Jun 20, 2016.

Tags:
  1. NestMan

    NestMan Active Member

    Joined:
    May 10, 2016
    Messages:
    25
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Utah
    cPanel Access Level:
    Root Administrator
    How is it that spammers are able to send email with the FROM: field using my email address? I only found out about it because the spammer put my address in the FROM and the TO fields, and them my server marked that email as spam:

    The mail server detected your message as spam and has prevented delivery (31).

    I have changed the password for this particular POP account, but the spam email continues to be bounce and come back to me. How are the spammers doing this?

    Thank you!
     
  2. Ameya Barwe

    Ameya Barwe Well-Known Member

    Joined:
    Jan 1, 2016
    Messages:
    49
    Likes Received:
    2
    Trophy Points:
    8
    Location:
    Nashik
    cPanel Access Level:
    Root Administrator
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,378
    Likes Received:
    1,857
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. NestMan

    NestMan Active Member

    Joined:
    May 10, 2016
    Messages:
    25
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Utah
    cPanel Access Level:
    Root Administrator
    I have implemented these suggestions and yet the problem continues. Any other ideas?
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,378
    Likes Received:
    1,857
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Could you provide some additional information about these messages, such as the message header, and the corresponding entry in /var/log/exim_mainlog? Ensure you post the output in CODE tags, and remove any real domain names or IP addresses.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. NestMan

    NestMan Active Member

    Joined:
    May 10, 2016
    Messages:
    25
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Utah
    cPanel Access Level:
    Root Administrator
    Yes, here is the full header:

    Code:
    Content-Type: multipart/report; report-type=delivery-status; boundary=1466770286-eximdsn-1804289383
    Auto-Submitted: auto-replied
    Mime-Version: 1.0
    Envelope-To: robert@domain.com
    Return-Path: <>
    Delivery-Date: Fri, 24 Jun 2016 06:11:27 -0600
    Message-Id: <E1bGPxG-00083t-Rz@server.domain.com>
    X-Failed-Recipients: robert@domain.com
    Received: from mailnull by server.domain.com with local (Exim 4.87) id 1bGPxG-00083t-Rz for robert@domain.com; Fri, 24 Jun 2016 06:11:26 -0600
    Mail delivery failed: returning message to sender
    
    I can tail the main exim log for things happening in the moment, but I'm unsure how to find a transaction that happened several hours ago. Can I use the Mail Delivery Reports feature in WHM to find what you are looking for?

    Thank you!!
     
    #6 NestMan, Jun 24, 2016
    Last edited: Jun 24, 2016
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,378
    Likes Received:
    1,857
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    You can search for a message via the command line with a command such as:

    Code:
    exigrep MSGID /var/log/exim_mainlog
    Or, through "WHM >> Mail Delivery Reports". This option is documented at:

    Mail Delivery Reports - Documentation - cPanel Documentation

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. NestMan

    NestMan Active Member

    Joined:
    May 10, 2016
    Messages:
    25
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Utah
    cPanel Access Level:
    Root Administrator
    Message-Id: <E1bGPxG-00083t-Rz@server.domain.com>

    Then I did the following at the prompt:

    Code:
    exigrep E1bGPxG-00083t-Rz /var/log/exim_mainlog
    A few seconds later the prompt return, apparently nothing happened. Did I do this right? By the way, what exactly should I be looking for? This will solve the problem as to why spammers can send email and make it look like it came from my own POP account?


    Thanks!
     
  9. 24x7server

    24x7server Well-Known Member

    Joined:
    Apr 17, 2013
    Messages:
    1,834
    Likes Received:
    85
    Trophy Points:
    78
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Hello :),

    Can you please try to check your old exim_mainlog file which are stored in /var/log directory.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  10. NestMan

    NestMan Active Member

    Joined:
    May 10, 2016
    Messages:
    25
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Utah
    cPanel Access Level:
    Root Administrator
    Didn't you read what I said above?
     
  11. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,378
    Likes Received:
    1,857
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    You can search for the email address as well. For example:

    Code:
    exigrep user@domain /var/log/exim_mainlog*
    You are checking to see if the message came from your system, or if it was spoofed and remote server did not have SPF checking enabled. You may also find this thread helpful if you want to verify the messages aren't coming from a PHP script:

    Find scripts responsible for sending out spam

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice