See email was sent
Hi, I was looking for spammers on server and see this:
Command: exigrep domain exim_mainlog
Something like 30 emails was sent to php_info@ymail.com but is it possible see if this emails was sent by php script or look content of these emails (control data or headers) ? Thank you!
2014-12-16 23:57:51 1Y13s6-003DYF-Pa U=user Warning: "SpamAssassin as cpaneleximscanner detected OUTGOING not smtp message as NOT spam (2.7)"
2014-12-16 23:57:51 1Y13s6-003DYF-Pa <= user@hostname U=user P=local S=563 T="update" for php_info@ymail.com
2014-12-16 23:57:51 1Y13s6-003DYF-Pa From: header (rewritten was: [Pages@hostname], actual sender is not the same system user) original=[Pages@hostname] actual_sender=[user@hostname]
2014-12-16 23:57:51 1Y13s6-003DYF-Pa SMTP connection outbound 1418781471 1Y13s6-003DYF-Pa domain php_info@ymail.com
2014-12-16 23:57:53 1Y13s6-003DYF-Pa => php_info@ymail.com R=lookuphost T=remote_smtp H=mta5.am0.yahoodns.net [66.196.118.33] X=TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128 C="250 ok dirdel"
2014-12-16 23:57:53 1Y13s6-003DYF-Pa Completed
2014-12-17 00:09:10 1Y1433-003Gd5-PC U=user Warning: "SpamAssassin as cpaneleximscanner detected OUTGOING not smtp message as NOT spam (2.7)"
2014-12-17 00:09:11 1Y1433-003Gd5-PC <= user@hostname U=user P=local S=561 T="update" for php_info@ymail.com
2014-12-17 00:09:11 1Y1433-003Gd5-PC From: header (rewritten was: [Pages@hostname], actual sender is not the same system user) original=[Pages@hostname] actual_sender=[user@hostname]
2014-12-17 00:09:11 1Y1433-003Gd5-PC SMTP connection outbound 1418782151 1Y1433-003Gd5-PC domain php_info@ymail.com
2014-12-17 00:09:13 1Y1433-003Gd5-PC => php_info@ymail.com R=lookuphost T=remote_smtp H=mta7.am0.yahoodns.net [98.138.112.34] X=TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128 C="250 ok dirdel"
2014-12-17 00:09:13 1Y1433-003Gd5-PC Completed
Something like 30 emails was sent to php_info@ymail.com but is it possible see if this emails was sent by php script or look content of these emails (control data or headers) ? Thank you!
-
Hello :) You won't be able to view the message contents if it's no longer stored on the server, however you could review the mail queue to see if any additional messages are still in the queue: "WHM Home " Email " Mail Queue Manager" Thank you. 0 -
Any email on queue :( Is it possible block emails to this recipient to stay in queue ? 0 -
What method is the user using to send the message? Have you simply tried contacting the user to verify if the email is legitimate? You may find the "Email Archiving" feature helpful: Email Archiving Thank you. 0 -
Works perfectm thank you so much! It's spam! Return-path: Envelope-to: php_info@ymail.com Delivery-date: Thu, 18 Dec 2014 18:40:31 -0200 Received: from user by hostname with local (Exim 4.84) (envelope-from ) id 1Y1hs6-003G0V-LJ for php_info@ymail.com; Thu, 18 Dec 2014 18:40:31 -0200 To: php_info@ymail.com Subject: update X-PHP-Script: domain/documents/Mysecurefile/auth.php for 64.74.215.59, 64.74.215.59 From: user@hostname Message-Id: Date: Thu, 18 Dec 2014 18:40:30 -0200 X-OutGoing-Spam-Status: No, score=2.7 X-Archive-Type: outgoing X-Archive-Sender: user X-From-Rewrite: rewritten was: [Pages@hostname], actual sender is not the same system user domain/documents/Mysecurefile/auth.php0 -
I am happy to see that feature was useful to you. Thank you for updating us with the outcome. 0
Please sign in to leave a comment.
Comments
5 comments