The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Total Mail Newbie but potentialy serious problem

Discussion in 'E-mail Discussions' started by HLFusion, Jan 14, 2007.

  1. HLFusion

    HLFusion Member

    Joined:
    Apr 21, 2006
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    Lately, my root account has had a lot of emails bounced back to it because there were some sort of errors. This has gotten really out of control, as now I get about 200-300 new emails a day, that I do not recognize as being sent from this server. Here are some examples:

    Code:
    Your message
    
      To:      image-0-465-7.mhtml-1@trust.com
      Subject: Hello from Russia.
      Sent:    Fri, 5 Jan 2007 01:41:01 +0100
    
    did not reach the following recipient(s):
    
    image-0-465-7.mhtml-1@trust.com on Thu, 4 Jan 2007 21:44:22 +0100
        The recipient name is not recognized
    	The MTS-ID of the original message is: c=us;a=
    ;p=aashima;l=NL-010701042044C2AM3SB9
        MSEXCH:IMS:Aashima:NL:NL-01 0 (000C05A6) Unknown Recipient
    
    
    
    
    
    Subject:
    Hello from Russia.
    From:
    Ekaterina <hwyn@core-fusion.net>
    Date:
    Fri, 5 Jan 2007 01:41:01 +0100
    To:
    image-0-465-7.mhtml-1@trust.com
    
    Hello!!!
    
    How are you? My name is Ekaterina. I am 26 years old. I live in Russia,
    city Youshkar-Ola. I am cheerful woman, and like to do many things as
    sport, camping, go to the cinema, theatre etc. In a word I like to do
    all what like all people. I work in marketing structure on sale of
    cosmetics. My dream this travel abroad. I know the english language
    well enough.. I began to study english language approximately one year
    ago. I wish tell to you history which have pushed me write to you. 8
    months ago I have got acquainted with the man from other country by
    name Justin. During this time we had good relations. We have
    understood that our relations become serious and we have decided to
    meet in his country. I wrote the application for reception the visa. I
    waited reception of the visa approximately half of year. All time I
    kept in touch with Justin through the internet and often called to
    each other. I and Justin waited reception of the visa to our meeting.
    I have received the invitation from the ambassador for reception of
    the visa. My director has given me long-term holiday from work and I
    have gone to Moscow to receive the visa. I informed good news to
    Patrick, but he has answered, that does not want our meeting. He
    played with me. He has informed that has the wife with two children
    and at all has no plans to meet me. I was not ready to such turn of
    events. I could not think what even after 8 months of acquaintance he
    can so unscrupulously act with me. Now I am in Moscow trip to Moscow
    and reception of visa. I do not want that all was gone for nothing and
    will be glad if my visa will be useful to our meeting. I could arrive
    already through 4-5 days, but a problem in that that now I have no man
    which would like my arrival. Probable it will silly sound but if you
    will be interested in a meeting with the good woman I shall like to
    meet you sometime soon! As Justin was dishonest with me I have
    decided to find the man which is interested to meet the woman from
    Russia. I do not know your ideas about my letter, but it would be fine
    if we could meet and have some weeks or months together. On my trip I
    want to receive rest from my work and a life in Russia. Also the basic
    purpose for the future it is search good men for serious attitudes
    which go to a marriage. I have no children, but I want to have
    children in the future. I am the mature woman and ready to creation of
    family with good man. I do not know what you really search in the
    future but if we could meet I shall be happy to discuss with you more
    about our meeting. What are you going to do this time? It would be
    fine if we could meet, do friendship or more than simply friendship. I
    shall be happy if you also have a free time and we could meet soon. I
    do not know your interests, but anyhow write to me back and I shall
    tell to you more about myself. Write to me all that you want. Maybe we
    have similar plans and it will be interesting to us together.
    
    You can write all that you want. Ask any questions which interest you.
    Write to me back and I shall tell more about myself and send more my
    photos.
    
    Please, write to me back on my regular e-mail: ekatershi@bk.ru
    Have a good day,
    
    Ekaterina.
    
    That definately seems like it's mass spam or a virus.

    Here's another:

    Code:
    This report relates to a message you sent with the following header fields:
    
      Return-path: <ctjn@core-fusion.net>
      Received: from tcpinami-daemon.mailrelaypr.smals-mvm.be by
       mailrelaypr.smals-mvm.be (Thiziz_a_mailserver)
       id <0JBD00HA72OLND@mailrelaypr.smals-mvm.be>
       (original mail from ctjn@core-fusion.net); Thu,
       4 Jan 2007 21:38:45 +0100 (CET)
      Received: from mailgateabis.smals-mvm.be (localhost [127.0.0.1])
       by mailrelaypr.smals-mvm.be (Thiziz_a_mailserver)
       with ESMTP id <0JBD00NB52OL20@mailrelaypr.smals-mvm.be> for htaq@inami.be;
       Thu, 04 Jan 2007 21:38:45 +0100 (CET)
      Received: from mailgateabis.smals-mvm.be (localhost.localdomain [127.0.0.1])
       by localhost (Postfix) with SMTP id AD9A377DC676	for <htaq@inami.be>; Thu,
       04 Jan 2007 21:38:50 +0100 (CET)
      Received: from dowragv (unknown [88.241.9.163])	by mailgateabis.smals-mvm.be
       (Postfix) with SMTP id 5287D77DC660	for <htaq@inami.be>; Thu,
       04 Jan 2007 21:38:46 +0100 (CET)
      Received: from ndoe ([138.132.151.80]) by dowragv with Microsoft
       SMTPSVC(5.0.2195.6713); Thu, 04 Jan 2007 22:38:35 +0200
      Date: Thu, 04 Jan 2007 22:38:35 +0200
      From: either <ctjn@core-fusion.net>
      Subject: [Scanned by Extranet - SPAM] BLOWING SNOW ADVISORY HAS BEEN CANCELED
       FOR THOMPSON PASS.
      To: htaq@inami.be
      Message-id: <459D65CB.5010703@core-fusion.net>
      MIME-version: 1.0
      Content-type: multipart/related; boundary=------------070505000604010208000408
      User-Agent: Thunderbird 1.5.0.9 (Windows/20061207)
      X-PMX-Spam: Probability=96%
    
    Your message cannot be delivered to the following recipients:
    
      Recipient address: htaq@inami.be
      Reason: Remote SMTP server has rejected address
      Diagnostic code: smtp;550 No such recipient
      Remote system: dns;mail.inami.be (mail.riziv.be GroupWise Internet Agent 7.0.1  Copyright [c] 1993-2006 Novell, Inc.  All rights reserved. Ready)
    
    
    
    
    Reporting-MTA: dns;mailrelaypr.smals-mvm.be (tcpinami-daemon)
    
    Original-recipient: rfc822;htaq@inami.be
    Final-recipient: rfc822;htaq@inami.be
    Action: failed
    Status: 5.0.0 (Remote SMTP server has rejected address)
    Remote-MTA: dns;mail.inami.be
     (mail.riziv.be GroupWise Internet Agent 7.0.1  Copyright [c] 1993-2006 Novell,
     Inc.  All rights reserved. Ready)
    Diagnostic-code: smtp;550 No such recipient
    
    
    
    Return-path: <ctjn@core-fusion.net>
    Received: from tcpinami-daemon.mailrelaypr.smals-mvm.be by
     mailrelaypr.smals-mvm.be (Thiziz_a_mailserver)
     id <0JBD00HA72OLND@mailrelaypr.smals-mvm.be>
     (original mail from ctjn@core-fusion.net); Thu,
     4 Jan 2007 21:38:45 +0100 (CET)
    Received: from mailgateabis.smals-mvm.be (localhost [127.0.0.1])
     by mailrelaypr.smals-mvm.be (Thiziz_a_mailserver)
     with ESMTP id <0JBD00NB52OL20@mailrelaypr.smals-mvm.be> for htaq@inami.be;
     Thu, 04 Jan 2007 21:38:45 +0100 (CET)
    Received: from mailgateabis.smals-mvm.be (localhost.localdomain [127.0.0.1])
     by localhost (Postfix) with SMTP id AD9A377DC676	for <htaq@inami.be>; Thu,
     04 Jan 2007 21:38:50 +0100 (CET)
    Received: from dowragv (unknown [88.241.9.163])	by mailgateabis.smals-mvm.be
     (Postfix) with SMTP id 5287D77DC660	for <htaq@inami.be>; Thu,
     04 Jan 2007 21:38:46 +0100 (CET)
    Received: from ndoe ([138.132.151.80]) by dowragv with Microsoft
     SMTPSVC(5.0.2195.6713); Thu, 04 Jan 2007 22:38:35 +0200
    Date: Thu, 04 Jan 2007 22:38:35 +0200
    From: either <ctjn@core-fusion.net>
    Subject: [Scanned by Extranet - SPAM] BLOWING SNOW ADVISORY HAS BEEN CANCELED
     FOR THOMPSON PASS.
    To: htaq@inami.be
    Message-id: <459D65CB.5010703@core-fusion.net>
    MIME-version: 1.0
    User-Agent: Thunderbird 1.5.0.9 (Windows/20061207)
    X-PMX-Spam: Probability=96%
    
    I think almost all of these are just spam, but how do I stop this from happening? Thanks.
     
  2. adept2003

    adept2003 Well-Known Member

    Joined:
    Aug 11, 2003
    Messages:
    283
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    ~ "/(extra|special)/data"
    Since your server hostname/ip address doesn't appear in the message headers, it seems safe to assume that the spammer is simply spoofing your email address.

    If you have a "catchall" account, disable it and set messages to bounce. The only emails you should be receiving should be to real email addresses you have setup on your server.

    If you know how to (search the forums), setup an SPF record in your DNS entries. This will help to reduce bounces from organisations that use SPF.

    Incidentally, as a separate issue, your nameservers will do recursive lookups (http://www.dnsreport.com/tools/dnsreport.ch?domain=core-fusion.net) - you should disable this (search the forum for how to do that). :)
     
  3. mctDarren

    mctDarren Well-Known Member

    Joined:
    Jan 6, 2004
    Messages:
    664
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    New Jersey
    cPanel Access Level:
    Root Administrator
    Better to set the messages to :fail: so that the server simply drops the connection instead of wasting your resources sending out a bounce.
     
  4. adept2003

    adept2003 Well-Known Member

    Joined:
    Aug 11, 2003
    Messages:
    283
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    ~ "/(extra|special)/data"
    thats what i meant... couldn't think of the right word :)
     
  5. dlennon

    dlennon Member
    PartnerNOC

    Joined:
    May 17, 2006
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    Is there a way for a cpanel system admin to prevent users from modifying the default user to anything other than :fail:? If not, I guess this would be a feature request.
     
Loading...

Share This Page