Forged return address on SPAM causing blacklisting
For about a week, I've been getting a TON of bounced SPAM that has the sender forged as a user on my server. They look like this
Interesting in this is serv3.myservername.net was my old server's name associated with the old server's IP address.. When I updated servers a year or so ago, the name change to serv4.myservername.net was not done in the WHM cp.. Although, the old serv3.myservername.net does resolve to the current server IP... I think I have a double problem here in that the old name is probably being used by some of the users who are getting blocked due to the server IP address being put in blacklists from this barrage of bounces... Arrgh! HELP!
------ This is a copy of the message, including all the headers. ------
Return-path:
Received: from [not.my.server.ip] (port=4193 helo=.com)
by serv3.myservername.net with esmtpsa (TLSv1:DHE-RSA-AES256-SHA:256)
(Exim 4.82)
(envelope-from )
id 1WFTiU-0003s4-CC; Mon, 17 Feb 2014 11:18:58 -0800
Message-ID: <40BA8F9B.8C4A9179@mydomain.com>
Date: Mon, 17 Feb 2014 21:18:54 +0200
Reply-To: "myname"
From: "myname"
MIME-Version: 1.0
Interesting in this is serv3.myservername.net was my old server's name associated with the old server's IP address.. When I updated servers a year or so ago, the name change to serv4.myservername.net was not done in the WHM cp.. Although, the old serv3.myservername.net does resolve to the current server IP... I think I have a double problem here in that the old name is probably being used by some of the users who are getting blocked due to the server IP address being put in blacklists from this barrage of bounces... Arrgh! HELP!
-
Blacklisting typically does not work this way. Someone using your old server's hostname as the EHLO name is usually not enough to trick any reputable blacklist - they are going to go by the IP address that the email originated from. Based on the limited info in the headers, it's possible that the email is being relayed through your server. Check your exim logs for these emails and see if they reveal anything. 0 -
Hello :) Have you tried searching for the "to" address in /var/log/exim_mainlog to ensure it was not actually sent from your server? You can use a command such as this to search: exigrep to@remote-domain /var/log/exim_mainlog
Also, as far as the hostname issue, have you tried sending a message from your server to a remote test address (e.g. Google, Hotmail) so you could review the mail header and verify the correct hostname is used? Thank you.0
Please sign in to leave a comment.
Comments
2 comments