Email being sent from accounts on server which do not exist
I am getting 100s of failure notices and undeliverable email receipts for account which don't exists on my server.
I have gone through as many hardening and email lockdown tutorials as i can find (and understand) but really don't know where to go from here. My server IP reputation is also suffering due to this spam being sent out.
Any Ideas on how i can check to see how this mail being sent is being generated as its from accounts which don't exist.
For example:
hyyehed@mydomain.com
hweiuhw@mydomain.com
Im not sure if its safe to post actual domains/ip addresses here so here is an email i received with the identifying bits asterixed out.
Please could someone give me some pointers in trying to find out where this is coming from.
-------------------
----------------------------------------------------------
-------------------------------------------------------------- the *********** relates to MY domain. the email addresses do NOT exist. Thanks for any help on this in advance. UKD. PS mail queues very low (currently 4) but seeing a lot of bounces...
Received: from static-71-27-63-95.ipcom.comunitel.net (95.63.xx.xx) by
actionsrv05.action.local (192.168.2.5) with Microsoft SMTP Server id
8.3.342.0; Mon, 21 Apr 2014 16:49:08 -0400
Pool-Debug: iw108 value
Pool-Name: default_value
x-sieve: enabled
Pool-Version: 2
Received: from [10.0.xx.xx] ([10.0.xx.xx:1396]
helo=static-71-27-63-95.ipcom.domain.net) by F590DEA73 (envelope-from
) (ecelerity 3.5.1.37854 r(Momo-dev:3.5.1.0)) with
ESMTP id 7F/8D-0FD47-BBD1D831; Mon, 21 Apr 2014 22:49:16 +0200
Date: Mon, 21 Apr 2014 22:49:06 +0200
From: Wall St Report
Sender:
To:
Message-ID: <1324203152.7293763856393340930.JavaMail.root@static-71-27-63-95.ipcom.domain.net>
Subject: This Easter Stock Will Triple
Errors-To: scan@**********.com
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_Part_56715_3024612586.6764116304127"
X-MailSentId: 15385
X-campaignid: infusion_iw0186
BatchId: 589032
X-BatchId: 589032
List-Unsubscribe:
Return-Path: scan@**********.com
X-GFI-SMTP-Submission: 1
X-GFI-SMTP-Submission: 1
X-GFI-SMTP-HelloDomain: static-71-27-63-95.ipcom.comunitel.net
X-GFI-SMTP-RemoteIP: 95.63.27.71----------------------------------------------------------
This report relates to a message you sent with the following header fields:
Message-id:
Date: Tue, 15 Apr 2014 13:51:33 +0300
From: StockExclusive
To: chethank
Subject: (RCHA) Back On Our Radar Right Now!
Your message has been enqueued and undeliverable for 4 days
to the following recipients:
Recipient address:chethank@domain.ae
Reason: unable to deliver this message after 4 days
The mail system will continue to try to deliver your message
for an additional 6 days.
Return-path:
Received: from tcp_ae-daemon.aimail3.domain.net.ae by aimail3.domain.net.ae
(I&ES Mail Server 4.2) id <0N4A006J0RPVNCZJ@aimail3.domain.net.ae>; Sun,
20 Apr 2014 01:29:55 +0400 (GST)
Received: from [89.122.xx.xx] by aimail3.domain.net.ae
(I&ES Mail Server 4.2)
with ESMTP id <0N4200DF9JHT38F0@aimail3.domain.net.ae> for
chethank@domain.ae; Tue, 15 Apr 2014 14:51:31 +0400 (GST)
Date: Tue, 15 Apr 2014 13:51:33 +0300
From: StockExclusive
Subject: (RCHA) Back On Our Radar Right Now!
To: chethank
Message-id:
MIME-version: 1.0
Content-type: TEXT/PLAIN
Content-transfer-encoding: QUOTED-PRINTABLE
Delivered-to: chethank@domain.ae-------------------------------------------------------------- the *********** relates to MY domain. the email addresses do NOT exist. Thanks for any help on this in advance. UKD. PS mail queues very low (currently 4) but seeing a lot of bounces...
-
Those emails....don't look like they were sent from an Exim server. Maybe you're just the victim of spoofing. Do you see records of them in your mail logs? 0 -
Hi thanks so much for your reply. Im really thick when it comes to this stuff... Just this morning I have received this: --------------------------------- Generating server: Metropolitan-Newyork.com 435_miz-a@jnco.com #550 5.1.1 RESOLVER.ADR.RecipNotFound; not found ## Original message headers: Received: from host81-155-159-223.range81-155.btcentralplus.com (81.132.236.173) by Metromail.Metropolitan-Newyork.com (216.127.125.130) with Microsoft SMTP Server id 8.1.436.0; Tue, 22 Apr 2014 00:03:37 -0700 From: Hyde Marcus <435_miz-a@********hosting.com> Content-Type: multipart/alternative; boundary="Apple-Mail=_168B19B8-662B-3E1F-434B-B9D86EBF3044" X-Smtp-Server: smtp.jnco.com:435_miz-a@jnco.com Subject: Happy Easter + Trading Tip Message-ID: <218C82BC-A7F0-E5A3-F198-306203848C87@jnco.com> X-Universally-Unique-Identifier: 481B8464-A3AC-5F51-805B-3BFD5C5B15C5 Date: Tue, 22 Apr 2014 08:16:08 +0100 To: 435_miz-a <435_miz-a@jnco.com> MIME-Version: 1.0 (Mac OS X Mail 7.2 \(1874\)) Return-Path: 435_miz-a@********hosting.com
------------------------------------ I have searched exim_mainlog for the address 435_miz-a@jnco.com but it cannot find anything. Is there anything one can do re spoofing? Thanks UKD.0 -
Hello :) You can setup SPF records for your domain names, but in part it's up to the remote mail server to implement SPF checking that rejects emails without them. Thank you. 0
Please sign in to leave a comment.
Comments
3 comments