Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Spam email sent and signed by my domain

Discussion in 'E-mail Discussion' started by Andrew Forbes, Jan 10, 2019.

  1. Andrew Forbes

    Andrew Forbes Registered

    Joined:
    Nov 14, 2018
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Melbourne
    cPanel Access Level:
    Root Administrator
    Hi,

    I have an addon domain set up on my server (myaddondomain.com.au - it's parked, it redirects to my main domain), but spam that arrives at info@myaddondomain.com.au is usually (not always) labelled as sent 'via myaddondomain.com.au', and signed by this domain. I've had a look at the headers for some of these spam emails, and the spam is passing DKIM with the default key for my addon domain (although it's failing SPF (with my server's IP address)).

    Is this something I should be worried about? Spam arriving being signed by my domain? Does this mean my server's been hacked somehow?

    I've reset my email account passwords, but it hasn't stopped the DKIM passing.
     
  2. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    5,710
    Likes Received:
    436
    Trophy Points:
    233
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hello @Andrew Forbes


    Interesting that it would pass the DKIM check but not the SPF. How do you know which it passed, do you have the header information?

    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. Andrew Forbes

    Andrew Forbes Registered

    Joined:
    Nov 14, 2018
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Melbourne
    cPanel Access Level:
    Root Administrator
    Hi Lauren,

    I have an email forwarder set to my Gmail account, so I can see the headers in the Gmail interface. Or do you mean I should paste the header information here in this thread?

    Any ideas on what's happening, or if it should be a concern? My first thought was that I've been hacked, but there's only a small amount of spam coming in (5 a day or so), and I haven't found thousands of emails going out to lists anywhere in the WHM mail delivery report. I've got all the default WHM mail security options in place, an hourly domain mail limit of 100, but the level of spam is much lower than that.

    My other thought was that it's because I'm forwarding my email to Gmail. But not all the spam is sent via my domain and signed, only about half of it is.

    Thanks.
     
  4. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    5,710
    Likes Received:
    436
    Trophy Points:
    233
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Can you please open a ticket using the link in my signature? Once open please reply with the Ticket ID here so that we can update this thread with the resolution once the ticket is resolved.


    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. Andrew Forbes

    Andrew Forbes Registered

    Joined:
    Nov 14, 2018
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Melbourne
    cPanel Access Level:
    Root Administrator
    Hi Lauren, done, ticket ID is 11195899

    Thanks for that.
     
  6. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    5,710
    Likes Received:
    436
    Trophy Points:
    233
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @Andrew Forbes

    Great, I am following that ticket and I'll update here with the outcome as soon as information is available.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    5,710
    Likes Received:
    436
    Trophy Points:
    233
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hello @Andrew Forbes


    I just checked in on the ticket you opened and it appears that they found the email in question here was being forwarded by your server to Gmail - this would allow for the DKIM checking to be successful. They were also able to provide an email transaction that justified this as well.

    I do have further advice though, rather than forward email from your email to Gmail you may want to look at using Gmail's pop3/imap client functionality. This way mail is received there, in the same manner, it would be in a mail client and you won't have to deal with any potential issues with spam being forwarded causing mail from your server to be rate-limited. Gmail has a walkthrough on how to set this up here: Check emails from other accounts - Computer - Gmail Help


    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice