How to find the source of this email

psytanium

• May 15, 2019 02:51

Hello, I always receive spams with nonsense content, I block or delete it, but I would like to know the source of the sender of this email: Return-Path: Delivered-To: me@mydomain.com Received: from server.mydomain.com by server.mydomain.com with LMTP id 6AhZMzKy21zIcAAAAm/+cA (envelope-from ) for ; Wed, 15 May 2019 09:31:14 +0300 Return-path: Envelope-to: mailer-daemon@server.mydomain.com Delivery-date: Wed, 15 May 2019 09:31:14 +0300 Received: from [154.126.169.202] (port=30621) by server.mydomain.com with esmtp (Exim 4.91) (envelope-from ) id 1hQnRa-0007pT-HC for mailer-daemon@server.mydomain.com; Wed, 15 May 2019 09:31:14 +0300 Message-ID: <5CDBC0DD.9040000@server.mydomain.com> Date: Wed, 15 May 2019 07:33:49 +0000 From: User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:6.0) Gecko/20110812 Thunderbird/6.0 MIME-Version: 1.0 To: Subject: Frauders known your old passwords. Access data must be changed. Content-Type: text/plain; charset=CP-850; format=flowed Content-Transfer-Encoding: 8bit
Is it coming from my server ?

• 

  m.eid

  • May 15, 2019 12:48

  I've received such that many times received to my clients signed by their domains as both sender and receivers, actually I've searched hard about that, they may using a hole in a script in your host, where they will say they had hacked your email but just ignore them and scan your host and apps there to find any vulnerabilities.

  0
• 

  psytanium

  • May 15, 2019 12:53

  But here should be a way to know where is it coming from, maybe by searching the exim log using a query in a command.

  0
• 

  keat63

  • May 15, 2019 14:21

  Do you recognise 154.126.169.202

  0
• 

  psytanium

  • May 15, 2019 14:29

  Do you recognise 154.126.169.202

  
  Not any of my server IPs, my computer IP.

  0
• 

  cPanelLauren

  • May 16, 2019 20:23

  The exim configuration setting as follows should allow the from header to be rewritten according to the actual sender: [QUOTE] EXPERIMENTAL: Rewrite From: header to match actual sender If you enabled this option, the From: header will be rewritten to be the email address of the actual message sender. If you choose the "remote" option, only messages that are being sent to remote destinations will be affected.
  

  0
• 

  psytanium

  • May 17, 2019 06:13

  Thank you I changed the Rewrite From: header to match actual sender to All

  0
• 

  keat63

  • May 17, 2019 07:59

  Does 'EXPERIMENTAL: Rewrite From: header to match actual sender' have any effect on inbound traffic. I read elsewhere that this only affects outbound emails.

  0
• 

  psytanium

  • May 17, 2019 08:30

  Good question

  0
• 

  cPanelLauren

  • May 17, 2019 15:06

  @keat63 you're right: This whole time I'd thought it was doing both! This becomes a bit more complicated with email that originates remotely:

  Not any of my server IPs, my computer IP.

  
  Are you saying that it is your computer's IP or it isn't any IP in relation to you?

  0
• 

  psytanium

  • May 17, 2019 16:03

  The IP is not related to my PC or server.

  0
• 

  cPanelLauren

  • May 17, 2019 20:59

  In that case the exim filter info I linked might be useful, but it could be cumbersome to implement

  0

Please sign in to leave a comment.