email virus attack

keat63

• May 13, 2022 10:26

I undergoing some for of virus attack at the moment. I see in the headers X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - server2.hechoenleon.com X-AntiAbuse: Original Domain - my domain.com X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - flejescarpa.com.mx Its not my domain which is sending these, so why does my domain show in Original Domain ?

• 

  keat63

  • May 13, 2022 15:53

  I've considered that it could be a pC on my corporate network maybe sending something via a relay, but now spotted another one. However, this one was sent to my own personal email (on the same server). My own personal email sends only a few emails per week so its relativley easy for me to check outgoing stats. X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - sg3plcpnl0004.prod.sin3.secureserver.net (not me) X-AntiAbuse: Original Domain - mypersonaldomain.co.uk I'm pretty confident that my own domain didn't get involved, unless theres something on the server. Is the 'Original Domain' section being spoofed Any ideas ??

  0
• 

  cPanelWilliam

  • May 13, 2022 17:54

  Hello! Could you please provide the full email headers from one of these emails? We would be able to better answer your questions if we had the full email headers. Based on what you said, I think it's likely that these emails are being spoofed. In this situation, I'd want to see which IP address is sending the mail so we can determine if they are being sent by a separate server. Since you pointed out that the hostname in the headers is not your server, I think it's likely that these are being sent by a separate server: Preventing spoofed emails

  0
• 

  keat63

  • May 13, 2022 18:21

  Without divulging my server or local IP's none of these are mine. Received: from sg2nlsmtp01.shr.prod.sin2.secureserver.net ([182.50.132.200]:40042) by myserver.host.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1npXLh-0001Sh-RM for keat@mydomain.co.uk; Fri, 13 May 2022 16:37:02 +0100 Received: from sg3plcpnl0004.prod.sin3.secureserver.net ([148.66.145.132]) by : HOSTING RELAY : with ESMTP id pXK0ny5VHvRk9pXK0nyzCr; Fri, 13 May 2022 08:35:16 -0700 X-CMAE-Analysis: v=2.4 cv=MZ6pB7zf c=1 sm=1 tr=0 ts=627e7ab5 a=upYG1lvb4hnWh0QFW3yukA==:117 a=6LNRkCNBt8ZRTU2CZPbolQ==:17 a=9+rZDBEiDlHhcck0kWbJtElFXBc=:19 a=gQX1269ULFhLm4Thdby34LUHVW0=:19 a=oZkIemNP1mAA:10 a=r77TgQKjGQsHNAKrUKIA:9 a=YMx64EG2AAAA:8 a=lRrl5QwOUt7lRYtwp-QA:9 a=d4OyPR7NnPR9-tdA:21 a=_W_S_7VecoQA:10 a=QEXdDO2ut3YA:10 a=2SAUZJQijLg_84jzozAA:9 a=IKIoO-ieCDEA:10 a=wDOl-8IaFK0A:10 a=Yy2xoct6d_2ZlxTvqP-Z:22 a=XqWb9wuT7gtQlNc7Gwru:22 a=G_MBLiWhD_nnfb7b4kOc:22 X-SECURESERVER-ACCT: info@miramsindia.com Received: from fixed-187-190-132-190.totalplay.net ([187.190.132.190]:50014 helo=[127.0.0.1]) by sg3plcpnl0004.prod.sin3.secureserver.net with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1npWok-008A4K-U7 for keat@mydomain.co.uk; Fri, 13 May 2022 08:02:59 -0700 Date: Fri, 13 May 2022 10:02:57 -0600 Message-ID: <9272fbc1-0126-43b4-bcb0-ea6e65a6beed@miramsindia.com> From: " " To: "" Subject: Re: FW: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----------------RyPeiOn2PBphlZvqzzUYjfsi" X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - sg3plcpnl0004.prod.sin3.secureserver.net X-AntiAbuse: Original Domain - mydomain.co.uk X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - miramsindia.com X-Get-Message-Sender-Via: sg3plcpnl0004.prod.sin3.secureserver.net: authenticated_id: info@miramsindia.com X-Authenticated-Sender: sg3plcpnl0004.prod.sin3.secureserver.net: info@miramsindia.com X-Source: X-Source-Args: X-Source-Dir: X-CMAE-Envelope: MS4xfFNymPr4ipJxFONebmcF8lg0wGqQ5At2SnE72M9WTNsG64mp8SpugQKGxrOEAkIYtGSZPxGDqeJEEuGXX8ocv/V2ssQlAn/OEyfBzoCG/D7wTfQaUHwO q9A8UCWWw+1/7Mg06Nz1JKyGO6WEfp8GpFdfOSzQcMhMEf/8UOoMvsq7AV5fpUOt1qMo5och6/iSrE98jiHOWsgYY/A4Ehz19gJnAvmC0E0oJLYInXq3VCms

  0
• 

  mtindor

  • May 13, 2022 18:37

  I undergoing some for of virus attack at the moment. I see in the headers X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - server2.hechoenleon.com X-AntiAbuse: Original Domain - my domain.com X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - flejescarpa.com.mx Its not my domain which is sending these, so why does my domain show in Original Domain ?

  
  I think it's as simple as Original Domain = domain of the recipient (yourself0 Does the wording sound goofy, yes it does. But it probably is supposed to indicate that the email was "originally" addressed TO somebody in that domain. Useless if the message is then forwarded off to Gmail or somewhere else and you want to know where it came from (your domain). NOTE: It does not say "Originating Domain". If it did, I'd have a problem with that and it would drive me crazy. But "Original Domain" makes sense to me. All of the examples you have showed here are simple emails that came in from other servers to the server your accounts are hosted on, and to a mailbox of a domain hosted on that server. Mike

  0
• 

  Spirogg

  • May 13, 2022 19:39

  Without divulging my server or local IP's none of these are mine. Received: from sg2nlsmtp01.shr.prod.sin2.secureserver.net ([182.50.132.200]:40042) by myserver.host.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1npXLh-0001Sh-RM for keat@mydomain.co.uk; Fri, 13 May 2022 16:37:02 +0100 Received: from sg3plcpnl0004.prod.sin3.secureserver.net ([148.66.145.132]) by : HOSTING RELAY : with ESMTP id pXK0ny5VHvRk9pXK0nyzCr; Fri, 13 May 2022 08:35:16 -0700 X-CMAE-Analysis: v=2.4 cv=MZ6pB7zf c=1 sm=1 tr=0 ts=627e7ab5 a=upYG1lvb4hnWh0QFW3yukA==:117 a=6LNRkCNBt8ZRTU2CZPbolQ==:17 a=9+rZDBEiDlHhcck0kWbJtElFXBc=:19 a=gQX1269ULFhLm4Thdby34LUHVW0=:19 a=oZkIemNP1mAA:10 a=r77TgQKjGQsHNAKrUKIA:9 a=YMx64EG2AAAA:8 a=lRrl5QwOUt7lRYtwp-QA:9 a=d4OyPR7NnPR9-tdA:21 a=_W_S_7VecoQA:10 a=QEXdDO2ut3YA:10 a=2SAUZJQijLg_84jzozAA:9 a=IKIoO-ieCDEA:10 a=wDOl-8IaFK0A:10 a=Yy2xoct6d_2ZlxTvqP-Z:22 a=XqWb9wuT7gtQlNc7Gwru:22 a=G_MBLiWhD_nnfb7b4kOc:22 X-SECURESERVER-ACCT: info@miramsindia.com Received: from fixed-187-190-132-190.totalplay.net ([187.190.132.190]:50014 helo=[127.0.0.1]) by sg3plcpnl0004.prod.sin3.secureserver.net with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1npWok-008A4K-U7 for keat@mydomain.co.uk; Fri, 13 May 2022 08:02:59 -0700 Date: Fri, 13 May 2022 10:02:57 -0600 Message-ID: <9272fbc1-0126-43b4-bcb0-ea6e65a6beed@miramsindia.com> From: " " To: "" Subject: Re: FW: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----------------RyPeiOn2PBphlZvqzzUYjfsi" X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - sg3plcpnl0004.prod.sin3.secureserver.net X-AntiAbuse: Original Domain - mydomain.co.uk X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - miramsindia.com X-Get-Message-Sender-Via: sg3plcpnl0004.prod.sin3.secureserver.net: authenticated_id: info@miramsindia.com X-Authenticated-Sender: sg3plcpnl0004.prod.sin3.secureserver.net: info@miramsindia.com X-Source: X-Source-Args: X-Source-Dir: X-CMAE-Envelope: MS4xfFNymPr4ipJxFONebmcF8lg0wGqQ5At2SnE72M9WTNsG64mp8SpugQKGxrOEAkIYtGSZPxGDqeJEEuGXX8ocv/V2ssQlAn/OEyfBzoCG/D7wTfQaUHwO q9A8UCWWw+1/7Mg06Nz1JKyGO6WEfp8GpFdfOSzQcMhMEf/8UOoMvsq7AV5fpUOt1qMo5och6/iSrE98jiHOWsgYY/A4Ehz19gJnAvmC0E0oJLYInXq3VCms

  
  try running the below command as root - cat /etc/valiases/* > forwarders.txt
  then cd
  enter then dir
  or ls
  you will see the forwarders.txt
  open with nano
  or vim
  or just cat forwarders.txt
  to see all the forwarders that are setup on all accounts or go to /etc/valiases
  then dir
  or ls
  and see if the domain account you said no longer active is still showing. if so cat domain.com
  and it will show you if there are forwarders setup that you cant see in cpanel. Then you can delete the forwarders or even the account that is no longer there. this is also good to see if any active accounts have been hacked and hacker adds forwarders that you wont see in the cpanel account via cPanel > forwarders hope this helps as well

  0
• 

  keat63

  • May 13, 2022 21:18

  I have csf explorer installed and already looked in valiases I did wonder if maybe a forwader was somehow leftove that I coudn't see from the cpanel account There are no forwarders for this user.

  0
• 

  Spirogg

  • May 13, 2022 21:23

  I have csf explorer installed and already looked in valiases I did wonder if maybe a forwader was somehow leftove that I coudn't see from the cpanel account There are no forwarders for this user.

  
  Is this account is no longer and deleted or suspended ? possible they have a forwarder setup on another account? possible ? if you check all accounts to verify if they have forwarders or to see if any of the emails contain a forwarder from the forwarders.txt file ( this would list all accounts that have a forwarding address ) just wondering ?

  0
• 

  Spirogg

  • May 13, 2022 22:23

  @keat63 i was reding this How to Prevent Email Abuse | cPanel & WHM Documentation and at the very bottom it had this EXPERIMENTAL Rewrite From header to match actual sender Any local cPanel user can use the 127.0.0.1 IP address to send mail without authentication. This can make it difficult for system administrators to determine which cPanel account sent the mail, especially when a malicious user spoofs an email address to disguise the origin of the email. To require cPanel & WHM to put the actual sender in the header, enable the Experimental: Rewrite From: header to match actual sender option in WHM"s fakemail@example.com], actual sender is not the same system user) original=[fakemail@example.com] actual_sender=[spammer@spammer.com] The actual_sender portion of the log entry shows that spammer is the cPanel account that sent the email. This information allows the system administrator to take action against the account to prevent additional spam. not sure if this is something you want to try or not. ?

  0
• 

  Spirogg

  • May 13, 2022 22:33

  Also there is another setting Home >> Service Configuration >> Exim Configuration Manager Reject remote mail sent to the server's hostname Use callouts to verify the existence of email senders. Exim will connect to the mail exchanger for a given address to verify it exists before accepting mail from it. this also is default NO this might help eliminate this

  0
• 

  keat63

  • May 14, 2022 08:53

  This person was a user but left about 2 years ago. Its possible that her email was forwarded to a collaeague, but I don't see any rules now. So maybe already removed it in the past. I'm struggling to understand why whm email delivery stats would indicate that they were undelivered, but I can still see and open them using CSF mailscanner. It's as if WHM says, 'sorry i can't deliever these' but accepts them and stores them anyway. I half expected Exim would just drop and delete. I do have mailscanner configured to retain for about 7 days I also made the exim chnages above, so i'll monitor for a week.

  0
• 

  keat63

  • June 07, 2022 13:31

  I'm still struggling on this issue. User doesn't exist, there are no forward rules or auto reposnders that I can see. If I send an email to the address, I do get a bounce back stating 'user does not exist' But if i look in CSF mailscanner, I can see that mailscanner at least accepted it. It doesn't appear in exim reject log either, so I assume exim accepted it. So I performed an experimant, and sent a test email to a long since gone user on another domain. I got the bounce, I don't see the message in CSF mailscanner, and I do see an entry in exim reject log. So for the experiment, i'm seeing what I would expect to see. as a further experiment back on the original domain, i sent a test email to a stupid username that never existed. It bounced, exim rejected it, I don't see it in mailscanner So the domain is doing as I would expect. It's as if some sort of filter, forwarder or even mailbox is still available despite there being nothing that I can see. Exim results for made up nonsense user: No such person at this address. exim results for user who did exist: LMTP error after RCPT TO:: 550 5.1.1 User doesn't exist: user@mydomain.com

  0
• 

  keat63

  • June 07, 2022 13:50

  I think found the issue in one of my own posts from a few years back. an entry in /home/$username/mail/$domainname.com/Usermailbox

  0
• 

  keat63

  • June 08, 2022 14:29

  Nope... still struggling on this. See below exim reject log entries. cpanel@ once existed, but I can't see any forwarders or rules etc. zzzzzzzzzzzzzzzzz@ never existed. Note how the two reject notices are different, and the cpanel@ one has some form of Exim ID. Both tests sent from the same real account. 2022-06-08 15:00:27 1nywEV-0007Xw-IX <= real-email@mydomain.com H=([10.10.1.32]) [xx.xx.xx.xx]:33313 P=esmtpsa X=TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128 CV=no A=dovecot_plain:real-email@mydomain.com S=708 id=7376ad8e-a557-88c3-53c4-ba4ad78d751d@mydomain.com T="test" for cpanel@mydomain.com 2022-06-08 15:00:28 1nywEV-0007Xw-IX ** cpanel@mydomain.com R=virtual_aliases: No such person at this address." 2022-06-08 15:24:30 H=([10.10.1.32]) [xx.xx.xx.xx]:33416 X=TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128 CV=no F= A=dovecot_plain:real-email@mydomain.com rejected RCPT : No such person at this address."

  0
• 

  keat63

  • June 08, 2022 14:57

  Track delivery shows transport fail on one and rejected on the other. Event: failure error User: myuser Domain: mydomain.com From Address: purchasing@mydomain.com Sender: purchasing@mydomain.com Sent Time: Jun 8, 2022, 3:00:15 PM Sender Host: 10.10.1.32 Sender IP: xxx.xx.xx.xx Authentication: dovecot_plain Spam Score: Recipient: cpanel@mydomain.com Delivery User: myuser Delivery Domain: mydomain.com Delivered To: Router: virtual_aliases Transport: fail Out Time: Jun 8, 2022, 3:00:15 PM ID: 1nywEV-0007Xw-IX Delivery Host: Delivery IP: Size: 708 bytes Result: No such person at this address. Event: rejected rejected User: -remote- Domain: From Address: purchasing@mydomain.com Sender: Sent Time: Jun 8, 2022, 3:24:15 PM Sender Host: xxx.xx.xx.xx Sender IP: xxx.xx.xx.xx Authentication: unauthorized Spam Score: 0 Recipient: zzzzzzzzzzzzzzzz@mydomain.com Delivery User: myuser Delivery Domain: mydomain.com Delivered To: Router: reject Transport: **rejected** Out Time: Jun 8, 2022, 3:24:15 PM ID: 1nywbm-0008gy-U6 Delivery Host: xxx.xx.xx.xx Delivery IP: xxx.xx.xx.xx Size: 0 bytes Result: No such person at this address.
  

  0

Please sign in to leave a comment.