The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Spam email is sent using my own account

Discussion in 'E-mail Discussions' started by NestMan, Jun 20, 2016.

Tags:
  1. NestMan

    NestMan Active Member

    Joined:
    May 10, 2016
    Messages:
    25
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Utah
    cPanel Access Level:
    Root Administrator
    How is it that spammers are able to send email with the FROM: field using my email address? I only found out about it because the spammer put my address in the FROM and the TO fields, and them my server marked that email as spam:

    The mail server detected your message as spam and has prevented delivery (31).

    I have changed the password for this particular POP account, but the spam email continues to be bounce and come back to me. How are the spammers doing this?

    Thank you!
     
  2. Ameya Barwe

    Ameya Barwe Well-Known Member

    Joined:
    Jan 1, 2016
    Messages:
    49
    Likes Received:
    2
    Trophy Points:
    8
    Location:
    Nashik
    cPanel Access Level:
    Root Administrator
  3. NestMan

    NestMan Active Member

    Joined:
    May 10, 2016
    Messages:
    25
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Utah
    cPanel Access Level:
    Root Administrator
    I have implemented these suggestions and yet the problem continues. Any other ideas?
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,694
    Likes Received:
    654
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Could you provide some additional information about these messages, such as the message header, and the corresponding entry in /var/log/exim_mainlog? Ensure you post the output in CODE tags, and remove any real domain names or IP addresses.

    Thank you.
     
  5. NestMan

    NestMan Active Member

    Joined:
    May 10, 2016
    Messages:
    25
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Utah
    cPanel Access Level:
    Root Administrator
    Yes, here is the full header:

    Code:
    Content-Type: multipart/report; report-type=delivery-status; boundary=1466770286-eximdsn-1804289383
    Auto-Submitted: auto-replied
    Mime-Version: 1.0
    Envelope-To: robert@domain.com
    Return-Path: <>
    Delivery-Date: Fri, 24 Jun 2016 06:11:27 -0600
    Message-Id: <E1bGPxG-00083t-Rz@server.domain.com>
    X-Failed-Recipients: robert@domain.com
    Received: from mailnull by server.domain.com with local (Exim 4.87) id 1bGPxG-00083t-Rz for robert@domain.com; Fri, 24 Jun 2016 06:11:26 -0600
    Mail delivery failed: returning message to sender
    
    I can tail the main exim log for things happening in the moment, but I'm unsure how to find a transaction that happened several hours ago. Can I use the Mail Delivery Reports feature in WHM to find what you are looking for?

    Thank you!!
     
    #6 NestMan, Jun 24, 2016
    Last edited: Jun 24, 2016
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,694
    Likes Received:
    654
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    You can search for a message via the command line with a command such as:

    Code:
    exigrep MSGID /var/log/exim_mainlog
    Or, through "WHM >> Mail Delivery Reports". This option is documented at:

    Mail Delivery Reports - Documentation - cPanel Documentation

    Thank you.
     
  7. NestMan

    NestMan Active Member

    Joined:
    May 10, 2016
    Messages:
    25
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Utah
    cPanel Access Level:
    Root Administrator
    Message-Id: <E1bGPxG-00083t-Rz@server.domain.com>

    Then I did the following at the prompt:

    Code:
    exigrep E1bGPxG-00083t-Rz /var/log/exim_mainlog
    A few seconds later the prompt return, apparently nothing happened. Did I do this right? By the way, what exactly should I be looking for? This will solve the problem as to why spammers can send email and make it look like it came from my own POP account?


    Thanks!
     
  8. 24x7server

    24x7server Well-Known Member

    Joined:
    Apr 17, 2013
    Messages:
    1,146
    Likes Received:
    34
    Trophy Points:
    48
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Hello :),

    Can you please try to check your old exim_mainlog file which are stored in /var/log directory.
     
  9. NestMan

    NestMan Active Member

    Joined:
    May 10, 2016
    Messages:
    25
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Utah
    cPanel Access Level:
    Root Administrator
    Didn't you read what I said above?
     
  10. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,694
    Likes Received:
    654
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    You can search for the email address as well. For example:

    Code:
    exigrep user@domain /var/log/exim_mainlog*
    You are checking to see if the message came from your system, or if it was spoofed and remote server did not have SPF checking enabled. You may also find this thread helpful if you want to verify the messages aren't coming from a PHP script:

    Find scripts responsible for sending out spam

    Thank you.
     
Loading...

Share This Page