email bounce back concerns
We had an email bounce back today, supposedly from a mailbox which sends out customer invoices.
However, we didn't send this.
What is concerning that it does appear that whoever sent it, was in the same data centre.
any ideas where i even start to look for a compromise, or how these people harvested our email address, especially in the same data centre.
Reporting-MTA: dns; smtp-in-133.livemail.co.uk
X-Postfix-Queue-ID: 060E924E66B
X-Postfix-Sender: rfc822; invoicing@mydomain.com
Arrival-Date: Thu, 8 Jan 2015 10:38:54 +0000 (GMT)
Final-Recipient: rfc822; chris.brewer@recipient.com
Action: failed
Status: 5.0.0
Diagnostic-Code: X-Postfix; host mail.recipient.com[79.170.xx.xxx] said:
550-Your IP address is on the RBL blacklist! Sending denied. 550-For
further information and delisting procedure, 550 please see
http://www.spamcop.net/w3m?action=ch...13.171.xxx.xxx (in reply
to RCPT TO command)any ideas where i even start to look for a compromise, or how these people harvested our email address, especially in the same data centre.
-
I can only assume that this is typical email spoofing. However, what worries me is the email address "invoicing@mydomain.com" is a brand new email address, maybe only a few weeks old. And that the server sending these spoofed emails, is in the same data centre. I had to restore the server at the weekend, and whilst i'd installed CSF and chosen a profile etc, i'd not taken it out of test mode. So there was a few hours where the domain had been restored but no firewall running. Having said that, the global name servers were pointing elsewhere, so the domain wasn't live. Is it possible that during this time, the email addresses could have been harvested, and if this is the case, any ideas where i start to look. ? This is just another blow to what seamed like was going to be my savior. 0 -
I know a lot to take in for anyone who takes the time to read and digest this. Whats the likelyhood that this server 213.171.xxx.xxx, is connected to the same switch or router as my server (it's in the same data centre on the same first two octets), and it's packet sniffing for email addresses ? 0 -
has anyone got any thoughts?, as it appears it's falling on deaf ears in the datacentre 0 -
any ideas where i even start to look for a compromise, or how these people harvested our email address, especially in the same data centre.
admin@, webmaster@ billing@ support@ and others, are generic targets. invoicing@ could probably be added to that list, IMHO. Spam coming from another account on the same IP range is possible I would think. And, you will get bounced emails where it appears the spammer used your email address in the from: address, to spam. I'm not saying you can safely ignore this of course, you should make sure you've got the server and email locked down well.0 -
hi info. i am aware that john, jane, admin, sales etc is an easy target to spoof, and to be perfectly honest "invoicing" is/was only a temporary account to test some new software we have. I guess it could have been spoofed for quite some time, and only now that the mailbox exists, did we see anything related to it. What really concerns me however, (and i'm probably being paranoid) is that the spoof appears to have originated from within the same datacentre. The datacentre people have brushed it off, as the headers have no traceability, but then i'm not sure what they expected to find. spammer sends spoofed email, which is bounced because of rbl listing and returned to an unsuspecting 3rd party. 0 -
The docs should be of some use to lock down mail better: How to Prevent Email Abuse - cPanel Documentation What really concerns me however, (and i'm probably being paranoid) is that the spoof appears to have originated from within the same datacentre.
Being paranoid is a valuable asset when it comes to sever security. Use it to your advantage. :) There's always the chance that a spammer has the next VPS over from yours, on the next IP up/down from yours. Your current IP even could have been used, scanned, or attacked by spammers recently as well. Spam is spam and it's not going away, unfortunately. There are spammers that'll read this very thread, hoping you'll post your email address so they can spam you. Post your email on your own site, same thing. To those spammers that spam I say, bite me. You suck.0
Please sign in to leave a comment.
Comments
6 comments