Facebook
TwitterJohn Fleming
Basic Pleskian
Hi All,
I am hoping someone has seen this before and can help.
We have an issue that we can't find the source of, and it's to do with mail, and what appears to be an interception.
What is happening is when a client sends email (Authenticated through the server) the mail does not get delivered, but a bounce back is received from other strange email addresses. Now at first we though the client was affected, but a CRON Job email that was sent locally in the server, was not delivered, and a bounce back was received form strange email addresses!! So is it possible for the mail to be hacked, and being intercepted at a server level.
I have posted some headers here (domain names removed for security) so you can see what is happening. XXX is the Domain to where the mail is sent (Local Host) and the ZZZ domain is a domain on that server where the CRON Job is run.
It doesn't just happen on this domain but has happened on two other domains. 1 from a website generated email, and the other from normal SMTP delivery.
It has me stuffed, and my host said they have checked EVERYTHING and can't find it.
Any ideas?
This email is sent from the CRON Job on the server to a local address on the server, but it never arrived. We then get the bounce back from where it did arrive.
I am hoping someone has seen this before and can help.
We have an issue that we can't find the source of, and it's to do with mail, and what appears to be an interception.
What is happening is when a client sends email (Authenticated through the server) the mail does not get delivered, but a bounce back is received from other strange email addresses. Now at first we though the client was affected, but a CRON Job email that was sent locally in the server, was not delivered, and a bounce back was received form strange email addresses!! So is it possible for the mail to be hacked, and being intercepted at a server level.
I have posted some headers here (domain names removed for security) so you can see what is happening. XXX is the Domain to where the mail is sent (Local Host) and the ZZZ domain is a domain on that server where the CRON Job is run.
It doesn't just happen on this domain but has happened on two other domains. 1 from a website generated email, and the other from normal SMTP delivery.
It has me stuffed, and my host said they have checked EVERYTHING and can't find it.
Any ideas?
This email is sent from the CRON Job on the server to a local address on the server, but it never arrived. We then get the bounce back from where it did arrive.
Code:
i. This is the qmail-send program at XXX.com.au.
I tried to deliver a bounce message to this address, but the bounce bounced!
<[email protected]>:
106.10.166.54 failed after I sent the message.
Remote host said: 554 delivery error: dd This user doesn't have a yahoo.com.vn account ([email protected]) [-5] - mta1230.mail.sg3.yahoo.com
--- Below this line is the original bounce.
Return-Path: <>
Received: (qmail 25848 invoked for bounce); 13 May 2013 14:00:03 +1000
Date: 13 May 2013 14:00:03 +1000
From: [email protected]
To: [email protected]
Subject: failure notice
Hi. This is the qmail-send program at XXX.com.au.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.
<[email protected]>:
Sorry, I couldn't find any host named yahoo.co. (#5.1.2)
--- Below this line is a copy of the message.
Return-Path: <[email protected]>
Received: (qmail 25837 invoked by uid 10041); 13 May 2013 14:00:02 +1000
Date: 13 May 2013 14:00:02 +1000
Message-ID: <[email protected]>
From: [email protected] (Cron Daemon)
To: [email protected]
Subject: Cron <adminuser@XXX> php -q /var/www/vhosts/ZZZ.com.au/httpdocs/cron.php
Content-Type: text/plain; charset=UTF-8
Auto-Submitted: auto-generated
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/var/www/vhosts/ZZZ.com.au>
X-Cron-Env: <PATH=/usr/bin:/bin>
X-Cron-Env: <LOGNAME=ZZZ>
X-Cron-Env: <USER=ZZZ>
