Facebook
Twitter
I have installed Plesk email security onto my dedicated server & its showing that I am sending locally loads of srs spam emails but I cannot for the life of me work out where they are coming from.
PLEASE NOTE;
mydomain has been changed from the domain on my server which is sending & receiving the srs emails
serverhostname has been changed from the hostname of the server
domain. Now heres the interesting part (maybe). We have a shared hosting account with a hosting provider which has a few of our clients domains on which are either hosted on a shared server or are parked. Mydomain & serverhostname are also parked on the shared hosting account but the dns & ns are redirected to my dedicated server & that is the only connection between the two BUT domain (shared hosting only with the settings assigned to it by the hosting company) is being used as a name in the srs emails along with several others also shared only and to top it all there are two names being used that haven't been on the shared account for a couple of years.
Now I know that servers can be probed to see what domains are hosted on them but whatever is behind sending these emails seems to know which domains I had on my shared account up to three years ago which makes me think that the hosting company had a data breech & has covered it up.
If anyone can shed any light on this for me I would be very grateful.
An example of an srs email from Plesk email security is:
srs0=/zg5=do=grations.top=credit_monitor_services-domain+2b1=[email protected]
Mail log shows:
Sender Receiver Status
Email source
Return-Path: <sarah_campbell-domain=[email protected]>
X-Original-To: [email protected]
Delivered-To: [email protected]
Received: from serverhostname.uk (localhost.localdomain [127.0.0.1])
by serverhostname.uk (Postfix) with ESMTP id 65D72129153
for <[email protected]>; Mon, 26 Oct 2020 15:10:02 +0000 (GMT)
Authentication-Results: serverhostname.uk;
dmarc=pass (p=NONE sp=NONE) smtp.from=mushreher.top header.from=mushreher.top;
dkim=pass header.d=mushreher.top;
spf=pass (sender IP is 127.0.0.1) smtp.mailfrom=sarah_campbell-domain=[email protected] smtp.helo=serverhostname.uk
Received-SPF: pass (serverhostname.uk: localhost is always allowed.) client-ip=127.0.0.1; envelope-from=sarah_campbell-domain=[email protected]; helo=serverhostname.uk;
X-Virus-Scanned: amavisd-new at example.com
X-Spam-Flag: YES
X-Spam-Score: 10.063
X-Spam-Level: **********
X-Spam-Status: Yes, score=10.063 tagged_above=-9999 required=5
tests=[AV:Sanesecurity.Jurlbl.70b60b.UNOFFICIAL=0.1, BAYES_99=3.5,
BAYES_999=0.2, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
HTML_IMAGE_ONLY_24=1.618, HTML_MESSAGE=0.001, RCVD_IN_PSBL=2.7,
RDNS_NONE=0.793, SPF_HELO_NONE=0.001, SPF_PASS=-0.001,
URIBL_ABUSE_SURBL=1.25, URIBL_BLOCKED=0.001]
autolearn=no autolearn_force=no
Authentication-Results: serverhostname.uk (amavisd-new); dkim=pass (1024-bit key)
header.d=mushreher.top; domainkeys=pass (1024-bit key)
header.from=[email protected] header.d=mushreher.top
Received: from serverhostname.uk ([62.138.4.97])
by serverhostname.uk (serverhostname.uk [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id cCYj4OP53yqt for <[email protected]>;
Mon, 26 Oct 2020 15:10:01 +0000 (GMT)
Received: from mail.mushreher.top (unknown [23.247.5.180])
by serverhostname.uk (Postfix) with ESMTP id E1AF5129146
for <[email protected]>; Mon, 26 Oct 2020 15:10:00 +0000 (GMT)
Received-SPF: pass (serverhostname.uk: domain of mushreher.top designates 23.247.5.180 as permitted sender) client-ip=23.247.5.180; envelope-from=sarah_campbell-domain=[email protected]; helo=mail.mushreher.top;
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=dkim; d=mushreher.top;
h=Date:From:To:Subject:MIME-Version:Content-Type:List-Unsubscribe:Message-ID; i=[email protected];
bh=5WRsFKDZEHWVwd3rPzxwhvLjnwU=;
b=g+lxWi/Gxx60CZcf9c2FBeOu5UYl6FX9NOT31TgrL5uAMmBB0hiD7ZtcYc36u6XhQBjgVLks1WXG
4XMuj/b9gRetSJGeO8saf03MKL642x+jUdMMBW318I92kxXD8MV4+Sik/kf9GORApT2mkBVQkeUc
x6yIsgLAYUGqNTDJQ+s=
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=dkim; d=mushreher.top;
b=Nyh6vCVza/7XG63L4D0pBAmpB/DrUmXbDwEa5GEF4AozNWpGv/sFhKdPC+w881EfWSIxRoifvfQh
yWecA7Wmv3QgMUSzxV8uMqcz04w/eqKZgd5eohkG946eqlTwQnkhPO9HssEDVrRuKMOR92B5a58P
hDK2uaBcmUjNd3XeUw8=;
Received: by mail.mushreher.top id hirjci0001g4 for <[email protected]>; Mon, 26 Oct 2020 11:01:11 -0400 (envelope-from <sarah_campbell-domain=[email protected]>)
Date: Mon, 26 Oct 2020 11:01:11 -0400
From: "Hollywood Diet" <[email protected]>
PLEASE NOTE;
mydomain has been changed from the domain on my server which is sending & receiving the srs emails
serverhostname has been changed from the hostname of the server
domain. Now heres the interesting part (maybe). We have a shared hosting account with a hosting provider which has a few of our clients domains on which are either hosted on a shared server or are parked. Mydomain & serverhostname are also parked on the shared hosting account but the dns & ns are redirected to my dedicated server & that is the only connection between the two BUT domain (shared hosting only with the settings assigned to it by the hosting company) is being used as a name in the srs emails along with several others also shared only and to top it all there are two names being used that haven't been on the shared account for a couple of years.
Now I know that servers can be probed to see what domains are hosted on them but whatever is behind sending these emails seems to know which domains I had on my shared account up to three years ago which makes me think that the hosting company had a data breech & has covered it up.
If anyone can shed any light on this for me I would be very grateful.
An example of an srs email from Plesk email security is:
srs0=/zg5=do=grations.top=credit_monitor_services-domain+2b1=[email protected]
Mail log shows:
Sender Receiver Status
| [email protected] | [email protected] | 26/10/2020 14:13:11 | sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 57C81117C2D) | 0EC71117C2B-FW |
Email source
Return-Path: <sarah_campbell-domain=[email protected]>
X-Original-To: [email protected]
Delivered-To: [email protected]
Received: from serverhostname.uk (localhost.localdomain [127.0.0.1])
by serverhostname.uk (Postfix) with ESMTP id 65D72129153
for <[email protected]>; Mon, 26 Oct 2020 15:10:02 +0000 (GMT)
Authentication-Results: serverhostname.uk;
dmarc=pass (p=NONE sp=NONE) smtp.from=mushreher.top header.from=mushreher.top;
dkim=pass header.d=mushreher.top;
spf=pass (sender IP is 127.0.0.1) smtp.mailfrom=sarah_campbell-domain=[email protected] smtp.helo=serverhostname.uk
Received-SPF: pass (serverhostname.uk: localhost is always allowed.) client-ip=127.0.0.1; envelope-from=sarah_campbell-domain=[email protected]; helo=serverhostname.uk;
X-Virus-Scanned: amavisd-new at example.com
X-Spam-Flag: YES
X-Spam-Score: 10.063
X-Spam-Level: **********
X-Spam-Status: Yes, score=10.063 tagged_above=-9999 required=5
tests=[AV:Sanesecurity.Jurlbl.70b60b.UNOFFICIAL=0.1, BAYES_99=3.5,
BAYES_999=0.2, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
HTML_IMAGE_ONLY_24=1.618, HTML_MESSAGE=0.001, RCVD_IN_PSBL=2.7,
RDNS_NONE=0.793, SPF_HELO_NONE=0.001, SPF_PASS=-0.001,
URIBL_ABUSE_SURBL=1.25, URIBL_BLOCKED=0.001]
autolearn=no autolearn_force=no
Authentication-Results: serverhostname.uk (amavisd-new); dkim=pass (1024-bit key)
header.d=mushreher.top; domainkeys=pass (1024-bit key)
header.from=[email protected] header.d=mushreher.top
Received: from serverhostname.uk ([62.138.4.97])
by serverhostname.uk (serverhostname.uk [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id cCYj4OP53yqt for <[email protected]>;
Mon, 26 Oct 2020 15:10:01 +0000 (GMT)
Received: from mail.mushreher.top (unknown [23.247.5.180])
by serverhostname.uk (Postfix) with ESMTP id E1AF5129146
for <[email protected]>; Mon, 26 Oct 2020 15:10:00 +0000 (GMT)
Received-SPF: pass (serverhostname.uk: domain of mushreher.top designates 23.247.5.180 as permitted sender) client-ip=23.247.5.180; envelope-from=sarah_campbell-domain=[email protected]; helo=mail.mushreher.top;
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=dkim; d=mushreher.top;
h=Date:From:To:Subject:MIME-Version:Content-Type:List-Unsubscribe:Message-ID; i=[email protected];
bh=5WRsFKDZEHWVwd3rPzxwhvLjnwU=;
b=g+lxWi/Gxx60CZcf9c2FBeOu5UYl6FX9NOT31TgrL5uAMmBB0hiD7ZtcYc36u6XhQBjgVLks1WXG
4XMuj/b9gRetSJGeO8saf03MKL642x+jUdMMBW318I92kxXD8MV4+Sik/kf9GORApT2mkBVQkeUc
x6yIsgLAYUGqNTDJQ+s=
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=dkim; d=mushreher.top;
b=Nyh6vCVza/7XG63L4D0pBAmpB/DrUmXbDwEa5GEF4AozNWpGv/sFhKdPC+w881EfWSIxRoifvfQh
yWecA7Wmv3QgMUSzxV8uMqcz04w/eqKZgd5eohkG946eqlTwQnkhPO9HssEDVrRuKMOR92B5a58P
hDK2uaBcmUjNd3XeUw8=;
Received: by mail.mushreher.top id hirjci0001g4 for <[email protected]>; Mon, 26 Oct 2020 11:01:11 -0400 (envelope-from <sarah_campbell-domain=[email protected]>)
Date: Mon, 26 Oct 2020 11:01:11 -0400
From: "Hollywood Diet" <[email protected]>
