• The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

fake headers ?

F

fishface

Guest
Im getting a lot of bounced emails coming back to server with hundreds of different usernames@mydomain in the headers. These are false usernames and there are no formmail scripts that i can see have been compromised.

Any ideas how they are doing this ?
 
Infected PC with it's own SMTP engine sending out emails with random generated names @yourdomain. Since your domain is listed as the 'From', the bounces end up being sent to your domain's email server when they are rejected by the recipient mail server.

Cannot comment further unless you post full header examples to be examined.
 
header

Hi , heres an example :

------ This is a copy of the message, including all the headers. ------

Return-path: <rheta.Finch@mydomain>
Received: from [220.113.133.40] (helo=66.179.21.196)
by elara.cascadia.net with smtp (Exim 4.20)
id 1ENOOT-00036z-95; Wed, 05 Oct 2005 22:34:14 -0700
Received: from mx01.noromgt.com (220.113.133.40 [220.113.133.40])
by 220.113.133.40 (Postfix) with SMTP id A01099CE04
for <[email protected]>;
Wed, 05 Oct 2005 22:25:21 -0800
Message-ID: <[email protected]>
Date: Wed, 05 Oct 2005 22:25:21 -0800
From: "Miss. odele" <rheta.Finch@mydomain>
User-Agent: Microsoft Mail Corporate v4.1
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: [email protected], [email protected], [email protected], [email protected]
Subject: I tried calling you...
Content-Type: multipart/related; boundary="------------Next_Part_61147160==.OLA"

This is a multi-part message in MIME format. --------------Next_Part_61147160==.OLA
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
---------------------------------------------------------------------------------

And another :

Hi. This is the qmail-send program at qmail.arpanet.ch.
I'm afraid I wasn't able to deliver your message to the following addresses. This is a permanent error; I've given up. Sorry it didn't work out.

<[email protected]>:
Sorry, no mailbox here by that name. (#5.1.1)

<[email protected]>:
Sorry, no mailbox here by that name. (#5.1.1)

<[email protected]>:
Sorry, no mailbox here by that name. (#5.1.1)

<[email protected]>:
Sorry, no mailbox here by that name. (#5.1.1)

<[email protected]>:
Sorry, no mailbox here by that name. (#5.1.1)

<[email protected]>:
Sorry, no mailbox here by that name. (#5.1.1)

<[email protected]>:
Sorry, no mailbox here by that name. (#5.1.1)

<[email protected]>:
Sorry, no mailbox here by that name. (#5.1.1)

--- Below this line is a copy of the message.

Return-Path: <chelsy.Naquin@mydomain>
Received: (qmail-ldap/ctrl 12299 invoked from network); 6 Oct 2005 11:48:24 -0000
Received: from unknown (HELO 213.158.135.11) ([220.75.119.13])
(envelope-sender <chelsy.Naquin@mydomain>)
by qmail.arpanet.ch (qmail-ldap-1.03) with SMTP
for <[email protected]>; 6 Oct 2005 11:48:24 -0000
Received: from unknown (HELO rubberbanding) (220.75.119.13)
by ikt.es with SMTP; Thu, 06 Oct 2005 04:56:35 -0800
Message-ID: <[email protected]>
Date: Thu, 06 Oct 2005 04:56:35 -0800
From: "Ms. heidie Boucher" <chelsy.Naquin@mydomain>
User-Agent: Mozilla Thunderbird 1.0.2 (Windows/20050317)
X-Antivirus-SCAN-Associates-Sdn-Bhd-Mail-From: chelsy.Naquin@mydomain
via mail.ikt.es
X-Antivirus-SCAN-Associates-Sdn-Bhd: SCAN-QMAIL-v1.0
(Clear:RC:1(220.75.119.13):. Processed in 1.833452 secs
Process 42796)
MIME-Version: 1.0
To: [email protected]
Cc: [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected]
Subject: FW: FJBVCH
 
Pretty standard looking for messages which are sent out from an infected PC using forged credentials.

Unless you can find any trace in your log files (such as /usr/local/psa/var/maillog) of the IP addresses (220.113.133.40 or 220.75.119.13) then your server is not the one sending the messages, and you most likely won't find any entries.

I am assuming that none of the IPs in the headers are actually yours since you did not remove them from the post.

There is not much you can do to block bounce messages from coming back to your domain mail server.

Server admins in this day and age should have any bounce feature turned off IMO, that way instead of sending a bounce message back to the forged 'From' domain, it just drops the message.
 
You must log in or register to reply here.

Similar threads

C
Question Analysing Sender IP in Mail Headers
Replies
0
Views
543
Change Maker
C
Jan Bludau
Resolved Patch: Postfix - 37C3 - SMTP Smuggling – Spoofing E-Mails Worldwide
Replies
5
Views
2K
Peter Debik
P
Pascal_Netenvie
Question Multiple 403 errors by Modsec after Update version: 18.0.60.1 → 18.0.61.5
Replies
10
Views
902
Kaspar@Plesk
Kaspar@Plesk
brother4
Issue Intermittent 503 Errors on Plesk Obsidian (Ubuntu 22.04 LTS) with PHP-FPM Crashes - Seeking Advice
Replies
3
Views
540
brother4
brother4
E
Issue Several understanding errors in my postfix
Replies
4
Views
5K
estanis
E
Back
Top