Spam originated from fake email accounts into my server

cPanelDon

cPanel Quality Assurance Analyst
Staff member
Nov 5, 2008
2,544
12
268
Houston, Texas, U.S.A.
cPanel Access Level
DataCenter Provider
Twitter
Hi, I have an account hosted , that is originating spam from random fake email accounts that doesnt exist into the server, such as:

[email protected]
[email protected]
[email protected]

How can i solve this issue?

Thanks for your help.
To determine possible solutions one must know where the messages originate from. Do you have the e-mail headers available, including e-mail headers of a bounce message? The full e-mail headers should offer some clues to help proceed further.

For the affected domain:
1.) What is the default address set as in cPanel?
2.) Are SPF and DomainKeys enabled in cPanel?
 

AndesHelp

Member
Nov 5, 2009
8
0
51
Email User names

To determine possible solutions one must know where the messages originate from. Do you have the e-mail headers available, including e-mail headers of a bounce message? The full e-mail headers should offer some clues to help proceed further.
Why would we care about where the emails originated from, if we could just block, or delete, them? :confused:

I have just started fighting a battle over emails like this. My hosting IP address has been put on a Blacklist I didn't even know existed. And, no one can tell me why, other than my IP "might" be involved in sending emails that are 'similar' to SPAM, according to senderscore.org. Who, apparently, can't even tell me why I am on their robber-baron blackilist.

Isn't there away to block invalid/fake email addresses from being sent, or received? That has been an enormous headache of mine for years. Why can't we block all invalid email addresses from being received or sent by our servers? :cool:

Thanks
 

cPanelDon

cPanel Quality Assurance Analyst
Staff member
Nov 5, 2008
2,544
12
268
Houston, Texas, U.S.A.
cPanel Access Level
DataCenter Provider
Twitter
Why would we care about where the emails originated from, if we could just block, or delete, them? :confused:

I have just started fighting a battle over emails like this. My hosting IP address has been put on a Blacklist I didn't even know existed. And, no one can tell me why, other than my IP "might" be involved in sending emails that are 'similar' to SPAM, according to senderscore.org. Who, apparently, can't even tell me why I am on their robber-baron blackilist.

Isn't there away to block invalid/fake email addresses from being sent, or received? That has been an enormous headache of mine for years. Why can't we block all invalid email addresses from being received or sent by our servers? :cool:

Thanks
The issue is that the Spam e-mails may have never originated from the system that actually hosts the domain. A spammer can easily spoof e-mail addresses, and it is useful to determine if the messages were either spoofed or if they were actually sent from the server hosting the domain that was spoofed; using e-mail headers is a critical source of information when comparing the message IDs and other headers to what is logged by your mail server. If the default address is used as a catch-all this can lead to increased Spam because all addresses are accepted, regardless if they are spoofed. SPF is at least one counter measure in defending against a Spammer sending spoofed e-mails by having a DNS record (for SPF) that can define the valid addresses that may send e-mail on behalf of the domain; however, whether or not this is enforced depends on the system that receives the original (i.e., spoofed) messages that end up being bounced back to the system that actually hosts the domain name.
 

AndesHelp

Member
Nov 5, 2009
8
0
51
SPAM Explanation

Thanks for the explanation of how most SPAM emails are created. :)

Now, how do I protect my IP from being blacklisted. And, how do I fix the problem?

Thanks
 

cPanelDon

cPanel Quality Assurance Analyst
Staff member
Nov 5, 2008
2,544
12
268
Houston, Texas, U.S.A.
cPanel Access Level
DataCenter Provider
Twitter
Thanks for the explanation of how most SPAM emails are created. :)

Now, how do I protect my IP from being blacklisted. And, how do I fix the problem?

Thanks
To protect from being blacklisted and fix the problem you'll need to know what method was used to send the Spam, and apply system administration policies to act upon that behavior. Checking the mail headers of a bounced Spam message should help, or you may also ask the blacklist maintainer if they can provide you with this information.

I recommend searching the forums to see how others have applied security measures; the following area may be of interest as it directly applies to security: cPanel and WHM Security - cPanel Forums
 

AndesHelp

Member
Nov 5, 2009
8
0
51
Blacklist robber-barons senderscore.org

Thanks,

I could not obtain a copy of any of the accused SPAM emails. So, I can't post any relevant information. Thank you for trying to help.

I am just spinning my wheels and not getting anywhere with senderscore.org or comcast support, who subscribes to senderscore.org.

I have been unable to obtain any information on which Domain email(s) are responsible for the blacklisting. So, I could not get a copy of the emails being accused of SPAMMING. After hours of searching, emailing and on the phone the only answers were "We don't know.", "Just request to be removed.", or "Purchase our product to keep from being black listed again.".

As the Host Provider I am really concerned because senderscore.org, like some of the other black list organizations, can put my IP on a blacklist and they do not have to tell me why, or what caused them to do so. Their answer is a "Generic" web page which starts by saying "There are many reasons for email to be considered SPAM. It might have looked similar to SPAM messages etc..."

I could not find out which email(s) were targeted by senderscore.org. I could not even find out when they happened. They only wanted me to purchase software from their (illicit?) parent company ReturnPath.net. This is a sales tactic used many times before. I believe the Laws refer to it as Extortion. And, others call it "Protection".

That is why I now classify Blacklist Organizations as Robber-Barons. They only tell you generic information, so they can continue blacklisting you, until you purchase their software. :mad:

Thanks
 

Infopro

Well-Known Member
May 20, 2003
17,076
521
613
Pennsylvania
cPanel Access Level
Root Administrator
Twitter

AndesHelp

Member
Nov 5, 2009
8
0
51
Header information from spoofed Sender Addresses

Thanks Infopro. I believe I tried to set-up the :fail: a couple times before and only ended up trashing my email server. I'm just a lowly MS Geek who is trying to relearn Unix and Linux. My limited abilities have me relying on GUI's for the most part.

Anyway, I have just gotten some SPAM emails with Spoofed Sender addresses. And, one of them is mine. So, how do I use this Header Info to track down and block this Cursed SPAMMER?

The first one listed has one of my clients emails set as the 'Return-path: <[email protected]>. Maybe this is one of the contributing factors to my getting put on the blacklist.

Code:
Return-path: <[email protected]>
Envelope-to: [email protected]
Delivery-date: Thu, 07 Jan 2010 08:39:03 -0500
Received: from [198.111.71.22] (helo=[207.74.115.23])
by host.andeshelp.com with esmtp (Exim 4.69)
(envelope-from <[email protected]>)
id 1NSsaA-0007Cr-50
for [email protected]; Thu, 07 Jan 2010 08:39:03 -0500
Received: from (unknown [10.22.30.91]) by gisdsmtp1.gennet.us with smtp
id 3168_2286ce3e_fb87_11de_8f1b_00188b314385;
Thu, 07 Jan 2010 07:21:09 -0500
From: VIAGRA (c) Best Supplier <[email protected]>
To: [email protected]
Subject: Visitor info's personal 80% OFF
MIME-Version: 1.0
Content-Type: text/HTML;
charset="utf-8"
Content-Transfer-Encoding: base64
X-NAIMIME-Disclaimer: 1
X-NAIMIME-Modified: 1
X-Spam-Status: No, score=3.2
X-Spam-Score: 32
X-Spam-Bar: +++
X-Spam-Flag: NO

************************************************

Return-path: <[email protected]>
Envelope-to: [email protected]
Delivery-date: Tue, 05 Jan 2010 10:38:10 -0500
Received: from ip-88-152-28-133.unitymediagroup.de ([88.152.28.133] helo=unitymediagroup.de)
by host.andeshelp.com with esmtps (TLSv1:RC4-MD5:128)
(Exim 4.69)
(envelope-from <[email protected]>)
id 1NSBUJ-000254-19
for [email protected]; Tue, 05 Jan 2010 10:38:10 -0500
From: VIAGRA (c) Best Supplier <[email protected]>
To: [email protected]
Subject: Visitor info's personal 80% OFF
MIME-Version: 1.0
Content-Type: text/html; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, score=3.9
X-Spam-Score: 39
X-Spam-Bar: +++
X-Spam-Flag: NO

*************************************************

Return-path: <[email protected]>
Envelope-to: [email protected]
Delivery-date: Wed, 06 Jan 2010 12:37:21 -0500
Received: from mx.cslucas.com.br ([200.160.111.39] helo=cslucas.com.br)
by host.andeshelp.com with esmtps (TLSv1:RC4-MD5:128)
(Exim 4.69)
(envelope-from <[email protected]>)
id 1NSZpE-0007nM-7W
for [email protected]; Wed, 06 Jan 2010 12:37:21 -0500
From: VIAGRA (c) Best Supplier <[email protected]>
To: [email protected]
Subject: Visitor info's personal 80% OFF
MIME-Version: 1.0
Content-Type: text/html; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, score=3.1
X-Spam-Score: 31
X-Spam-Bar: +++
X-Spam-Flag: NO

*************************************************

Return-path: <[email protected]>
Envelope-to: [email protected]
Delivery-date: Mon, 04 Jan 2010 20:50:11 -0500
Received: from [74.92.19.93] (helo=cranneycompanies.com)
by host.andeshelp.com with esmtps (TLSv1:AES128-SHA:128)
(Exim 4.69)
(envelope-from <[email protected]>)
id 1NRyZ2-0002Z6-UB
for [email protected]; Mon, 04 Jan 2010 20:50:11 -0500
From: VIAGRA (c) Best Supplier <[email protected]>
To: [email protected]
Subject: Visitor info's personal 80% OFF
MIME-Version: 1.0
Content-Type: text/html; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, score=1.1
X-Spam-Score: 11
X-Spam-Bar: +
Thanks
 
Last edited by a moderator:

Infopro

Well-Known Member
May 20, 2003
17,076
521
613
Pennsylvania
cPanel Access Level
Root Administrator
Twitter
Thanks Infopro. I believe I tried to set-up the :fail: a couple times before and only ended up trashing my email server. I'm just a lowly MS Geek who is trying to relearn Unix and Linux. My limited abilities have me relying on GUI's for the most part.
Thanks
You're in luck then, cPanel has got you covered. :)

Login to your cPanel account, click the icon titled Default Address. Next page select the domain on the drop down list, tick Discard with error and add this: No Such User Here

Next, go to WHM, Tweak Settings, Mail section and find this:

Default catch-all/default address behavior for new accounts. "fail" is usually the best choice if you are getting mail attacks.
Select fail, and save.

Nothing to trash here.

GL!
 

AndesHelp

Member
Nov 5, 2009
8
0
51
Thanks. I found the WHM setting easy enough. That should help.

Login to your cPanel account, click the icon titled Default Address. Next page select the domain on the drop down list, tick Discard with error and add this: No Such User Here
I found 'Default Address' under the 'Mail' Icon in cPanel. This is what it showed for 'Default Address Maintenance'.
Default Address Maintenance

Send all unrouted e-mail for: healingthebody.net to:

Hint: You can enter :blackhole: to discard all incoming unrouted mail or :fail: no such address here to bounce it.
If you wish to send to multiple address, please separate them with a comma (,)
I changed it to:
Default Address Maintenance

Send all unrouted e-mail for: healingthebody.net to: :fail: no such address here

Hint: You can enter :blackhole: to discard all incoming unrouted mail or :fail: no such address here to bounce it.
If you wish to send to multiple address, please separate them with a comma (,)
I hope that was the right setting. If so, then I will go to each of my clients cPanels and set them up with the same settings. I am a little concerned because it says that :fail: will 'bounce' the message. Some time ago, message bouncing got me put onto another blacklist for 'back scatter'.

Thanks
 

brianoz

Well-Known Member
Mar 13, 2004
1,146
7
168
Melbourne, Australia
cPanel Access Level
Root Administrator
Isn't there away to block invalid/fake email addresses from being sent, or received? That has been an enormous headache of mine for years. Why can't we block all invalid email addresses from being received or sent by our servers? :cool:
Unfortunately, such blocking is still technically very hard although Sender-Verify is used to try to prevent it, and Domain Keys (hardly ever used) and SPF (more common) help a lot. This is also called a "joe job" so you can Google for that if you need help.

The other preventive tip for this is to make sure people on your server don't list their email addresses on their webpages in plain text. On average, Project Honeypot (think that's their name) said that each time an email address is harvested from a webpage you get 800 spam messages to that email address.

Now, how do I protect my IP from being blacklisted. And, how do I fix the problem?Thanks
You haven't told us the blacklist you're on, as the criteria vary widely, and the solution would also vary widely. However, as far as I know, there are almost no blacklists that will add you for spam sent by other people; you are usually only added when your server is actually sending the spam. There's lots of info around on how to secure your server from sending spam - in summary: SMTP tweak, per-user hourly mail limits, and install something like CSF.

The other thing that will help enormously if you're in hosting for the long term is to get the server hardened by an expert. Just like it takes years to become proficient at MS admin for servers, it takes some time to get proficient at admin on Unix servers, and getting your server hardened by someone knowledgeable will give you a nice leg-up and save you a lot of time and grief. The Configserver people mentioned previously (CSF) do that service, and Infopro who helped above may also do that (and is well known and trustworthy).
 
Last edited:

AndesHelp

Member
Nov 5, 2009
8
0
51
Blacklist robber-baron senderscore.org

Thanks brianoz for the information.

You haven't told us the blacklist you're on, as the criteria vary widely, and the solution would also vary widely.
It was SenderScore.org, owned by ReturnPath.net.

They will not tell you why they blacklisted you. They will only show you a web page with a Generic message. It starts with "There are many reasons why your IP may be listed. Your IP may have sent emails similar to SPAM messages. etc..."

I came to this Forum searching for answers and recommendations. After spending many hours on the phone with ComCast, who started blocking our emails and subscribes to the SenderScore.org blacklist. They had no answer or recommendation.

I tried for a few days to get an answer from SenderScore.org and ReturnPath.net to find out why my IP was blacklisted.

I could never find any way to contact them, unless I wanted to purchase their software, to keep from being blacklisted by them again. Their business philosophy seems to be "We can put you on a blacklist any time we want and we don't have to tell you why. You can't even bother us with an email. Just buy our product to keep from being blacklisted again."

Thanks
 

tangowebs

Well-Known Member
Oct 12, 2004
93
0
156
SPAM email inected on server, generated on random email accounts like @yahoo.com. Ive enabled headers, this is one of the results


Code:
#################################
1NwQUe-0005q9-IG-H
mailnull 47 12
<>
1269913428 0
-ident mailnull
-received_protocol local
-body_linecount 171
-max_received_linelength 396
-allow_unqualified_recipient
-allow_unqualified_sender
-localerror
XX
1
[email protected]

148P Received: from mailnull by server2.xxxx.com with local (Exim 4.69)
id 1NwQUe-0005q9-IG
for [email protected]; Mon, 29 Mar 2010 22:43:48 -0300
229 X-Failed-Recipients: [email protected],
[email protected],
[email protected],
[email protected],
[email protected],
[email protected],
[email protected],
[email protected]
029 Auto-Submitted: auto-replied
066F From: Mail Delivery System <[email protected]>
020T To: [email protected]
059 Subject: Mail delivery failed: returning message to sender
055I Message-Id: <[email protected]>
038 Date: Mon, 29 Mar 2010 22:43:48 -0300


Another one:
#################################
1NwQLn-0004iy-6n-H
mailnull 47 12
<[email protected]>
1269912879 0
-helo_name 174.132.180.130
-host_address 127.0.0.1.38005
-host_name localhost
-interface_address 127.0.0.1.25
-received_protocol esmtp
-body_linecount 107
-max_received_linelength 979
YY [email protected]
YY [email protected]
YY [email protected]
YY [email protected]
YY [email protected]
YY [email protected]
NN [email protected]
YN [email protected]
NN [email protected]
YY [email protected]
NN [email protected]
NN [email protected]
YY [email protected]
YY [email protected]
NN [email protected]
YY [email protected]
NN [email protected]
NN [email protected]
YN [email protected]
NN [email protected]
YY [email protected]
YY [email protected]
NN [email protected]
YY [email protected]
NN [email protected]
NN [email protected]
YY [email protected]
YY [email protected]
NN [email protected]
NN [email protected]
YY [email protected]
NN [email protected]
NN [email protected]
YY [email protected]
YY [email protected]
YY [email protected]
NN [email protected]
YY [email protected]
NN [email protected]
NN [email protected]
YY [email protected]
NN [email protected]
NN [email protected]
YY [email protected]
YY [email protected]
NN [email protected]
YN [email protected]
NN [email protected]
YY [email protected]
NY [email protected]
NN [email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]earthlink.net
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]

199P Received: from localhost ([127.0.0.1] helo=174.132.180.130)
by server2.xxxxx.com with esmtp (Exim 4.69)
(envelope-from <[email protected]>)
id 1NwQLn-0004iy-6n; Mon, 29 Mar 2010 22:34:39 -0300
038 Date: Mon, 29 Mar 2010 22:34:39 -0300
1090T To: [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected],
[email protected], [email protected], [email protected], [email protected], [email protected]
034F From: Root User <[email protected]>
026R Reply-To: [email protected]
024S Sender: [email protected]
046 Subject: Body-Building in clinic (best price)
063I Message-ID: <[email protected] 0>
014 X-Priority: 3
026 X-MSMail-Priority: Normal
017 X-Mailer: PhpBB3
018 X-MimeOLE: phpBB3
047 X-phpBB-Origin: phpbb://serverip/forums
048 X-AntiAbuse: Board servername - serverip
028 X-AntiAbuse: User_id - 8815
038 X-AntiAbuse: Username - Administrator
039 X-AntiAbuse: User IP - serverip
018 MIME-Version: 1.0
082 Content-Type: multipart/alternative;
boundary="795f8e1432ae4a4f41bc1719fc6e1767"
014 X-ACL-Warn: {
094 X-server2.xxxxx.com-MailScanner-Information: Please contact the ISP for more information
058 X-server2.xxxxx.com-MailScanner-ID: 1NwQLn-0004iy-6n
116 X-server2.xxxxx.com-MailScanner: Not scanned: please contact your Internet E-Mail Service Provider for details
049 X-server2.xxxxx.com-MailScanner-SpamCheck: 
059 X-server2.xxxxx.com-MailScanner-From: [email protected]
018 X-Spam-Status: No
 
Last edited by a moderator: