Mail delivery failed: returning message to sender

itwetra

• August 27, 2019 19:39

Hi Folks, currently one of my user-facing receiving spamming mail from " Mail Delivery Failed", and at the same time my other user can't sending mail due to it's had over limit the CPanel quota which in 200 mail Per hours. Furthermore, all the address(es) failed: are from different email and none of them are familiar. I had scans the mail directory using the CPanel Virus scanner, and Anti-virus in the PC system to scan, end up non of the malware or virus are available. Below are the attachments, Please advise anyone that experience this situation before. Thank You

• 

  keat63

  • August 28, 2019 10:57

  The images you post would indicate to me that these are the inbound bounce messages, ideally, you need to try and find what's sending the outgoing messages. A few things to try. Change the password on the email account. If the password has been compromised, this should stop it. Ensure DKIM and SPF are configured on the account, This should help with spoofing. If you have a compromised PC, then taking this down and finding the culprit woud be the next thing to do.

  0
• 

  mtindor

  • August 28, 2019 16:46

  I understand that you may not have posted the contents of one of the messages because you would not want to reveal anything about your server, but great clues as to what is going on can be found in the bounce messages themselves that you see in webmail. Open them up and takea look at them. They are going to tell you why the messages were bounced by the remote system (or cpanel, if they were bounced from the server itself). Not that you should trust me, Im nobody you know. But if you want to PM me what one of the messages shows in your webmail (including all of the message headers it reveals), I'd be glad to take a look. But I'm betting you can figure it out for yourself once you look at the one of the bounce messages. mike

  0
• 

  cPanelLauren

  • August 28, 2019 18:52

  @keat63 Those look like inbound messages because they're all bouncebacks and in this instance, the account is suspended and not accepting anything due to the exceeding mail limits. @itwetra You need to identify the source of the email. If your users on this account haven't sent this mail then you need to determine how it's being sent. Internally we have a really helpful script we use for this: perl <(curl -s https://raw.githubusercontent.com/cPanelTechs/SSE/master/sse.pl) -s
  Which will break down the users sending mail and the directory mail is originating from. If it's a specific email account sending most of the mail then you'll most likely want to change the password if mail is originating from a specific directory you'll want to look in the directory to identify the script that is responsible for the mail.

  0

Please sign in to leave a comment.