Emails to unknown domain

Mark Coates

June 07, 2019 04:21

Hi all i have noticed now and again spam being processed on the server although does not get delivered as #1 the email and domain do not exist on the server #2 processed as spam and rejected. how can this come to my vps if the domain does not and has not existed on here? I have also checked the recieving email for if the email has been sent from that address and nothing. I get about 5 emails like this a month. Thanks

Comments

43 comments

cPanelLauren

June 07, 2019 19:19
Hi @Mark Coates This looks like spam email leaving your server (it doesn't have to carry your domain name if it's sent through a php script) you might check the exclamation point to get the "Delivery Event Details" which might give you some further information
0
Mark Coates

June 08, 2019 10:51
Hi @cPanelLauren I have checked this and none of the ip addresses are what my vps use either i have attached an example. Mu ip starts: 149.255.63.***
0
keat63

June 10, 2019 09:54
maybe you are an open relay. From a terminal window paste the following telnet localhost 25 helo mail from: someone@notyourdomain.com rcpt to: someone@notyourdomain.com
0
cPanelLauren

June 10, 2019 17:48
Hi @Mark Coates Do you have the ability to run the following over CLI? exigrep 1hZYCb-0009kU-zd /var/log/exim_mainlog
0
Mark Coates

June 11, 2019 08:02
@keat63 this is the results from terminal; [root@dedivps-75533 ~]# telnet localhost 25 Trying ::1... Connected to localhost. Escape character is '^]'. 220-dedivps-75533.dedicloud.co.uk ESMTP Exim 4.92 #2 Tue, 11 Jun 2019 08:58:43 +0100 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail. helo 250 dedivps-75533.dedicloud.co.uk Hello [::1] mail from: someone@notyourdomain.com 250 OK rcpt to: someone@notyourdomain.com 250 Accepted @cPanelLauren i get this; [root@dedivps-75533 ~]# exigrep 1hZYCb-0009kU-zd /var/log/exim_mainlog [root@dedivps-75533 ~]#
0
keat63

June 11, 2019 08:25
Actually, I'm beginning to wonder if doing what I said via a terminal window was a thorough test. As in effect, we wouldn't need to authorise as we are doing this as self, and thus authorised to do so. Maybe Telnet from a local PC would be a better test. Maybe try it with Mxtoolbox instead Email Server Test - Online SMTP diagnostics tool - MxToolbox
0
Mark Coates

June 11, 2019 08:37
@keat63 i have tried with that link although i presume it would be their domain? or would this my domain?
0
Mark Coates

June 11, 2019 08:39
here are the results using my domain name
0
keat63

June 11, 2019 09:16
Seems that you are not an open relay then. The command that lauren gave you ought to have come back with a result. However, if your log file has rotated, this could explain why you saw nothing. See if you can identify another most recent one of these rougue emails and use the id from that.
0
Mark Coates

June 11, 2019 09:20
I tihnk i will have to wait as i cant find any from the past 2 days.
0
keat63

June 11, 2019 10:04
If you have ftp access, you could ftp to var/log and find the .gz (zip) filename of the log file that was written at the time of the last known event. Then run the command against the zip file instead. along the lines: exigrep 1hZYCb-0009kU-zd /var/log/exim_mainlog-20190610.gz
0
Mark Coates

June 11, 2019 10:25
didnt work through terminal although i could download the latest. (only 1 file of the main log) the address's in questions was not in the log /var/log/exim_mainlog-20190609 i cant upload as its too large :(
0
keat63

June 11, 2019 11:45
my server has four .gz files plus the current exim-mainlog
0
Mark Coates

June 11, 2019 12:17
ah yes now i see them ill have another look
0
Mark Coates

June 11, 2019 12:28
This means nothing to me but this is the log section regarding this. ###################################### 2019-06-09 00:57:34 SMTP connection from [14.182.244.224]:13408 (TCP/IP connection count = 1) 2019-06-09 00:57:55 H=(static.vnpt.vn) [14.182.244.224]:13408 Warning: Sender rate 1.0 / 1h 2019-06-09 00:58:15 [69.25.26.160] SSL verify error (during S-verify for [14.182.244.224]): certificate name mismatch: DN="/C=US/ST=Florida/L=Gulf Breeze/O=Appriver LLC/OU=Engineering/CN=*.appriver.com" H="consolidatedsafety.com.1.0001.arsmtp.com" 2019-06-09 00:58:16 H=(static.vnpt.vn) [14.182.244.224]:13408 Warning: "Increment Connection Ratelimit - (static.vnpt.vn) [14.182.244.224]:13408 because of RBL match" 2019-06-09 00:58:16 H=(static.vnpt.vn) [14.182.244.224]:13408 F= rejected RCPT : "JunkMail rejected - (static.vnpt.vn) [14.182.244.224]:13408 is in an RBL: Blocked - see SpamCop.net - Blocking List ( bl.spamcop.net )" 2019-06-09 00:58:16 SMTP connection from (static.vnpt.vn) [14.182.244.224]:13408 closed by DROP in ACL ######################################
0
keat63

June 11, 2019 13:25
I'm also struggling to comprehend whats's going on. to me, it looks like the server at 14.182.244.xxx has tried to send an email to cuglsjkmr262@0g4u.com. This domain resolves to a UK server 0g4u.com WHOIS, DNS, & Domain Info - DomainTools Is your domain in this list ? Reverse IP Lookup - ViewDNS.info
0
cPanelLauren

June 11, 2019 14:04
Better to run something like this for the compressed logs: zgrep 1hZYCb-0009kU-zd /var/log/exim_mainlog-*
The excerpt you added doesn't seem to correlate at all to the headers of the initial email as well in fact that log excerpt seems to indicate that it's just a spam message being delivered to your server then rejected for being in an RBL
0
Mark Coates

June 11, 2019 14:08
----
0
Mark Coates

June 11, 2019 14:09
@keat63 no my domain is not there.
0
Mark Coates

June 11, 2019 14:10
@cPanelLauren I have tried that code and comes back with nothing :(.
0
keat63

June 11, 2019 14:48
Hi lauren I think what mark is getting at, is why was a delivery attempted in the first place. The domain doesn't reside on his server.
0
cPanelLauren

June 11, 2019 15:24
This is a bit perplexing, @Mark Coates I noticed in the excerpt you added it mentions appriver, is this a service you use?
0
keat63

June 11, 2019 20:36
@
0
cPanelLauren

June 11, 2019 20:40
@
0
Mark Coates

June 12, 2019 12:10
This is a bit perplexing, @Mark Coates I noticed in the excerpt you added it mentions appriver, is this a service you use?

I do not know what appriver is. :rolleyes: i have just googled this and it looks to be safe and secure. I tried the code zgrep 1hZYCb-0009kU-zd /var/log/exim_mainlog-* again and got the attached output again.
0
keat63

June 12, 2019 12:31
Mark I've no doubt what Lauren is asking for should work, but for whatever reason it isn't. FTP the exim_mainlog.gz files off. Extract the contents, lets see if you can manually identify which gz file the email 1hZYCb-0009kU-zd is actually in. I suspect Lauren is not in the UK, based on her regular activity, doing this might just save some time, and help us get to the bottom of this.
0
Mark Coates

June 12, 2019 13:10
i have just done a search in them all and none of them have the ID :(
0
keat63

June 12, 2019 13:20
Maybe all we can do is wait then. A shame as i'd have liked to have learned from this.
0
cPanelLauren

June 12, 2019 13:54
If it's not showing up in the exim logs then the transaction took place prior to what you have logs for. Do you have a more recent example we can use @Mark Coates preferably within the last day or so? Also I'd like to see what the output of this is as well (it might be useful information for you too) perl <(curl -s https://raw.githubusercontent.com/cPanelTechs/SSE/master/sse.pl) -s
Also, appriver is a 3rd party spam filtering service which scans mail off server then delivers it to your server, I was curious primarily if it was possible there was a routing issue with them in your configuration but if you're not using them it wouldn't be that.
0
Mark Coates

June 23, 2019 11:04
Hi @cPanelLauren the output is [root@dedivps-75533 ~]# perl <(curl -s https://raw.githubusercontent.com/cPanelTechs/SSE/master/sse.pl) -s Emails by user: 23 : danumhos 1 : mailnull =================== Total: 24 =================== Email accounts sending out mail: =================== Total: 0 =================== Directories mail is originating from: 17 : /home/danumhos 6 : /home/danumhos/public_html =================== Total: 22 =================== Top 20 Email Titles: 6 : POP3 Connection Error 3 : WHMCS Domain Transfer Status Cron Report 3 : WHMCS Domain Synchronisation Cron Report 3 : Notification Message 2 : [Ticket ID: 23062019395] Delivery of your email messages. 2 : [Ticket ID: 23062019396] Mail delivery failed: returning message to sender 2 : [Ticket ID: 23062019397] Cheapest, Innovative Bitcoin Mining 1 : WHMCS Cron Job Activity 1 : Mail delivery failed: returning message to sender 1 : WHMCS Database Backup =================== Total: 23 =================== [root@dedivps-75533 ~]#
The majority of this looks like its from WHMCS Not sure if this would be going in a circle again although i have had another email this morning and thought id mention this as its fresh still. i have uploaded info minus any info i think relates to someone (barring the sender again) I tried this zgrep 1heywa-0003mr-et /var/log/exim_mainlog-*
and got nothing back. i have gone through the logs and there are a lot on there so i have taken out other email data and added the relevent information into the attached PDF. sorry its a little small
0

Please sign in to leave a comment.

Comments

Didn't find what you were looking for?