a lot spoofing. remote email are being sent using local envelope
Received: from tk.ibw.com.ni (localhost [127.0.0.1]) --- look at this something is send this email locally
by tk.ibw.com.ni (Proxmox) with ESMTP id BADC31A8C45
for ; Tue, 11 Aug 2020 00:43:38 -0600 (CST)
Date: Tue, 11 Aug 2020 03:44:38 -0300
From: "user1" ---this is not user1 email address ---- this is phishing
To: "noc@example.com"
Subject: Fwd:Quote
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="--106277629023481144352531673054508"
Message-Id: <20200811064331.DF4BE3E446D@clients.hostname.com.ni>
-
Hi! We would need a bit more details and clarification than just a mail header. Can you elaborate more? If the mail outbound/inbound? Which domains are local to your system? Have you searched for BADC31A8C45 in your exim logs? 0 -
What makes you think this is spoofing and not that user sending spam via a compromised script? This appears to be what is happening here. 0 -
What makes you think this is spoofing and not that user sending spam via a compromised script? This appears to be what is happening here.
Hi Lauren we have logged a call with cpanel but the all said this a normal email. thanks Lauren, my thoughts exactly. how do we deal with the compromised cpanel server in this regard0 -
Hi! We would need a bit more details and clarification than just a mail header. Can you elaborate more? If the mail outbound/inbound? Which domains are local to your system? Have you searched for BADC31A8C45 in your exim logs?
Good day Michael Received: from tk.ibw.com.ni (localhost [127.0.0.1]) -------------------------the local server hostname is cp1.example.com NOT tk.ibw.com.ni From: "user1" ---------------------------user1 email should be user1@example.com NOT istemas.informatica@domain.com.ni This means this email( istemas.informatica@domain.com.ni) uses the local resources to send email to user1 on which the body content of the email are the old emails send by User1 with the .doc attachemant TO: "noc@example.com"0 -
Well if you're sending email from a script you'd need to identify the specific script that is sending the mail. As you mention you called cPanel's technical support, what is the ticketID number associated with that call? 0 -
Well if you're sending email from a script you'd need to identify the specific script that is sending the mail. As you mention you called cPanel's technical support, what is the ticketID number associated with that call?
Well if you're sending email from a script you'd need to identify the specific script that is sending the mail. As you mention you called cPanel's technical support, what is the ticketID number associated with that call?
hi Lauren This is what we found. How do we stop this.0 -
Good day Michael Received: from tk.ibw.com.ni (localhost [127.0.0.1]) -------------------------the local server hostname is cp1.example.com NOT tk.ibw.com.ni From: "user1" ---------------------------user1 email should be user1@example.com NOT istemas.informatica@domain.com.ni This means this email( istemas.informatica@domain.com.ni) uses the local resources to send email to user1 on which the body content of the email are the old emails send by User1 with the .doc attachemant TO: "noc@example.com"
All details in the mail header can relatively easy by spoofed. The mail doesn't neccessarily have to come from your own server - actually I'm confident that it's "just" spam from an external server. You would need to find the mail in exim_main log to see the connecting ip and check up on that. A quick search shows that fx " tk.ibw.com.ni " is in a few blacklist.. so maybe also activating DNSBL in your Exim Configuration Manager will help.0 -
All details in the mail header can relatively easy by spoofed. The mail doesn't neccessarily have to come from your own server - actually I'm confident that it's "just" spam from an external server. You would need to find the mail in exim_main log to see the connecting ip and check up on that. A quick search shows that fx " tk.ibw.com.ni " is in a few blacklist.. so maybe also activating DNSBL in your Exim Configuration Manager will help.
Hi Michael i have activated DNSBL already,0 -
same problem my server also. lots of mail received using country domain include .doc virus file. 0
Please sign in to leave a comment.
Comments
9 comments