Help with spam sent to self
Hello I have seen this kind of spam for a number of accounts on my Cpanel server now where the spam email is sent "From" an email to the same email address, in this case admin@ only exists as a forwarder. Also SPF and DKIM is set-up on this domain with the EXIM set to reject SPF failures, the sender IP is 181.176.43.44 which is not on the SPF but is blacklisted on RBL: zen.spamhaus.org that is set to on.
So how are they doing it? Is my server hacked or is Cpanel/EXIM just not checking SPF/IP's for internal email?
Return-path:
Envelope-to: admin@thehosteddomain.co.uk
Delivery-date: Tue, 05 Apr 2016 14:11:15 +0100
Received: from [181.176.43.44] (port=23075)
by mycpanelserver.com with esmtp (Exim 4.86_1)
(envelope-from )
id 1anQlG-0004qD-LD
for admin@thehosteddomain.co.uk; Tue, 05 Apr 2016 14:11:15 +0100
Message-ID: <578251831008526853087067@thehosteddomain.co.uk>
From:
To:
Subject: Make 30% profit every 15 minutes.
Date: 5 Apr 2016 01:43:32 -0600
MIME-Version: 1.0
Content-type: multipart/alternative;
boundary="---09907CF940E515C55CB0358C29D90990"
X-Mailer: Uqpkcn pqnsbp
X-From-Rewrite: unmodified, forwarded message
This is a multi-part message in MIME format.
-----09907CF940E515C55CB0358C29D90990
Content-type: text/plain;
charset="iso-8859-1"
Content-transfer-encoding: quoted-printable
-
Hello :) Could you post the corresponding entry for this message from /var/log/exim_mainlog? EX: exigrep MSGID /var/log/exim_mainlog
Thank you.0 -
Hello, I got the same problem ! Someone uses my email to email me, for example: From: myemail@example.com to: myemail@example.com with an advertisement like below: - Removed - Please show me how to fix this problem ! Thank you very much ! Sincerely, Calvin 0 -
Hello :) Could you post the corresponding entry for this message from /var/log/exim_mainlog? EX:
exigrep MSGID /var/log/exim_mainlog
Thank you.
Thanksexigrep 578251831008526853087067 /var/log/exim_mainlog 2016-04-05 14:11:15 1anQlG-0004qD-LD H=([181.176.43.44]) [181.176.43.44]:23075 Warning: Message has been scanned: no virus or other harmful content was found 2016-04-05 14:11:15 1anQlG-0004qD-LD <= admin@myhosteddomain H=([181.176.43.44]) [181.176.43.44]:23075 P=esmtp S=3362 id=578251831008526853087067@myhosteddomain T="Make 30% profit every 15 minutes." for admin@myhosteddomain 2016-04-05 14:11:15 1anQlG-0004qD-LD SMTP connection identification D=myhosteddomain O=admin@myhosteddomain E=phill@myemail.com M=1anQlG-0004qD-LD U=alternat ID=1000 B=redirect_resolver 2016-04-05 14:11:15 1anQlG-0004qD-LD => phill (phill@myemail.com, admin@myhosteddomain) R=virtual_user T=virtual_userdelivery 2016-04-05 14:11:15 1anQlG-0004qD-LD => |/usr/local/cpanel/bin/autorespond phill@myemail.com /home/runtime/.autorespond (phill@myemail.com, phill@myemail.com, admin@myhosteddomain) SRS= R=virtual_aliases_nostar T=jailed_virtual_address_pipe 2016-04-05 14:11:15 1anQlG-0004qD-LD Completed0 -
Please browse to "WHM >> Service Configuration >> Exim Configuration Manager >> Basic Editor" and verify the following option is enabled: "Reject SPF failures" Thank you. 0 -
Please browse to "WHM >> Service Configuration >> Exim Configuration Manager >> Basic Editor" and verify the following option is enabled: "Reject SPF failures" Thank you.
Hello, yes this is switched on.0 -
I have noticed that these are coming in on the catch-all / Default Address looking at all the effected accounts 0 -
Could you open a support ticket using the link in my signature so we can take a closer look? You can post the ticket number here so we can update this thread with the outcome. Thank you. 0
Please sign in to leave a comment.
Comments
7 comments