Spam email sent and signed by my domain

Andrew Forbes

Registered
Nov 14, 2018
3
0
1
Melbourne
cPanel Access Level
Root Administrator
Hi,

I have an addon domain set up on my server (myaddondomain.com.au - it's parked, it redirects to my main domain), but spam that arrives at [email protected] is usually (not always) labelled as sent 'via myaddondomain.com.au', and signed by this domain. I've had a look at the headers for some of these spam emails, and the spam is passing DKIM with the default key for my addon domain (although it's failing SPF (with my server's IP address)).

Is this something I should be worried about? Spam arriving being signed by my domain? Does this mean my server's been hacked somehow?

I've reset my email account passwords, but it hasn't stopped the DKIM passing.
 

Andrew Forbes

Registered
Nov 14, 2018
3
0
1
Melbourne
cPanel Access Level
Root Administrator
Hi Lauren,

I have an email forwarder set to my Gmail account, so I can see the headers in the Gmail interface. Or do you mean I should paste the header information here in this thread?

Any ideas on what's happening, or if it should be a concern? My first thought was that I've been hacked, but there's only a small amount of spam coming in (5 a day or so), and I haven't found thousands of emails going out to lists anywhere in the WHM mail delivery report. I've got all the default WHM mail security options in place, an hourly domain mail limit of 100, but the level of spam is much lower than that.

My other thought was that it's because I'm forwarding my email to Gmail. But not all the spam is sent via my domain and signed, only about half of it is.

Thanks.
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,295
1,273
313
Houston
Can you please open a ticket using the link in my signature? Once open please reply with the Ticket ID here so that we can update this thread with the resolution once the ticket is resolved.


Thanks!
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,295
1,273
313
Houston
Hello @Andrew Forbes


I just checked in on the ticket you opened and it appears that they found the email in question here was being forwarded by your server to Gmail - this would allow for the DKIM checking to be successful. They were also able to provide an email transaction that justified this as well.

I do have further advice though, rather than forward email from your email to Gmail you may want to look at using Gmail's pop3/imap client functionality. This way mail is received there, in the same manner, it would be in a mail client and you won't have to deal with any potential issues with spam being forwarded causing mail from your server to be rate-limited. Gmail has a walkthrough on how to set this up here: Check emails from other accounts - Computer - Gmail Help


Thanks!