On our server, we keep receiving spam with the following headers. We are using whm 11.44 and exim.
Return path is always:
Return-path: <>
and it says Received: from unknown (HELO localhost)
Both which raise flags. We're just not sure exactly how to stop/reject them.
From - Mon Feb 16 14:27:02 2015
X-Account-Key: account3
X-UIDL: UID10475-1296887657
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:
Return-path: <>
Envelope-to: me#myserver.com
Delivery-date: Mon, 16 Feb 2015 09:13:38 -0600
Received: from [122.160.73.62] (port=10732 helo=122.160.73.62)
by myserver.myserver.com with smtp (Exim 4.82)
id 1YNN0Z-00056c-7P
for me#myserver.com; Mon, 16 Feb 2015 08:50:47 -0600
Received: from unknown (HELO localhost) (intlimd#highgrove.net#214.92.72.48)
by 122.160.73.62 with ESMTPA; Mon, 16 Feb 2015 20:23:11 +0530
From: intlimd#highgrove.net
To: myemail#myserver.com
Subject: Do not disapoint your girl this night
http://mandatory.natur.com/ Real magic in your life
Can you please check the full logs of your this mail with the following command and let me know so that we can assist you.
cat /var/log/exim_mainlog | grep 1YNN0Z-00056c-7P
Related
I am trying to understand the email header and I found out using email header checker (i.g. mxtoolbox) can easily get the information. But I wonder how does this work?
For example, I have a email header showing like this:
Received: from DM5PR04MB0251.namprd04.prod.outlook.com (::1) by
DM6PR04MB6592.namprd04.prod.outlook.com with HTTPS; Tue, 13 Sep 2022 00:17:52
+0000
Received: from DB6PR1001CA0016.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:4:b7::26)
by DM5PR04MB0251.namprd04.prod.outlook.com (2603:10b6:3:74::12) with
Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5612.22; Tue, 13 Sep
2022 00:17:51 +0000
Received: from DB8EUR06FT019.eop-eur06.prod.protection.outlook.com
(2603:10a6:4:b7:cafe::4b) by DB6PR1001CA0016.outlook.office365.com
(2603:10a6:4:b7::26) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5612.14 via Frontend
Transport; Tue, 13 Sep 2022 00:17:51 +0000
...
...
And it shows blank in the from information.
Do you know why is this?
I send an email through send grid using SendGridMessage.DeliverAsync. It takes about 20 minutes for the email to arrive. I am pasting below the header information of the email as received by the recipient. All company information has been replaced by fictional data:
Return-path: <bounces+1776648-b90d-rec=example.com#sendgrid.me>
Envelope-to: rec#example.com
Delivery-date: Wed, 27 May 2015 15:48:53 -0400
Received: from o1.f.az.sendgrid.net ([208.117.55.132]:22426)
by server37.web-hosting.com with esmtps (UNKNOWN:DHE-RSA-AES128-GCM-SHA256:128)
(Exim 4.82)
(envelope-from <bounces+1776648-b90d-rec=example.com#sendgrid.me>)
id 1YxhJt-003sMA-8G
for rec#example.com; Wed, 27 May 2015 15:48:53 -0400
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sendgrid.me;
h=content-type:mime-version:from:to:subject; s=smtpapi;
bh=e8YGVEGwW8wzxqhpuiTstqZPRIs=; b=MLyTlQTi5Y4eOlmcNk65t0Fqv+8cp
WoAtekeb+ld1HBI1kk4CQ1ycmJ7LP6r/ZJKI0+0+fwy0hsO5F7ywT7twv6t9Z/M2
BYxCuE5heMWP5tjyIkfJYjIDf8fT3OM43bq30+NC69GQWJFr+CHn2ms/OgmSahvD
PhQ71p1yBFagxY=
Received: by filter-403.sjc1.sendgrid.net with SMTP id filter-403.17268.55661A831A
2015-05-27 19:27:00.592426035 +0000 UTC
Received: from MTc3NjY0OA (unknown [23.97.229.110])
by ismtpd-004 (SG) with HTTP id 14d96d793b7.30c5.15e6fe
Wed, 27 May 2015 19:27:00 +0000 (UTC)
Content-Type: multipart/alternative;
boundary="===============1502686111627047378=="
MIME-Version: 1.0
From: Example Support <admin#example.com>
To: Rec Martel <rec#example.com>
Subject: Thank you for Signing up with Example!
Message-ID: <14d96d793b7.30c5.15e6fe#ismtpd-004>
Date: Wed, 27 May 2015 19:27:12 +0000 (UTC)
X-SG-EID: IASZyfUggCe5SBfFgEPkfXBDb6ZCY09R57ALGWkRenTMTMZdvb6XDq63Z6REVqqqqh1THbQI2y+Su7
fi7CkNm41AX9xYJayZj7L4Nq9kdKIQjkQVy89oVT4OWeRVj/QSAmE5TEgSMY+XRBmQ/JygwCuz1U6r
eB7+RE6w3Aht84U=
X-From-Rewrite: unmodified, no actual sender determined from check mail permissions
Can anyone tell me why the delay is happening and how can I fix it?
Regards,
Zawar
If you experienced this within the last hour (as per your question timestamp) it is likely because Sendgrid is currently experiencing a serious outage which is causing ~60 min. email delays in some cases.
I've been frequently receiving emails with the subject line "failure notice" and I've included one example below.
Should I be concerned about this and what, if any actions do I have available, as it looks like my email address is being used as the return path.
Note I have changed the details sightly to "mydomain.co.uk", the email that is not mine to "removed_not_my_email#yahoo.com" and my email to "my_email#mydomain.co.uk"
Hi. This is the qmail-send program at mydomain.co.uk.
I tried to deliver a bounce message to this address, but the bounce bounced!
<removed_not_my_email#yahoo.com>:
98.136.217.202 failed after I sent the message.
Remote host said: 554 delivery error: dd This user doesn't have a yahoo.com account (removed_not_my_email#yahoo.com) [0] - mta1335.mail.gq1.yahoo.com
--- Below this line is the original bounce.
Return-Path: <>
Received: (qmail 9093 invoked for bounce); 12 Mar 2014 11:08:39 +0100
Date: 12 Mar 2014 11:08:39 +0100
From: MAILER-DAEMON#mydomain.co.uk
To: removed_not_my_email#yahoo.com
Subject: failure notice
Hi. This is the qmail-send program at mydomain.co.uk.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.
<moggiex#gmail.com>:
173.194.68.26 failed after I sent the message.
Remote host said: 552-5.7.0 This message was blocked because its content presents a potential
552-5.7.0 security issue. Please visit http://support.google.com/mail/bin/answe
552-5.7.0 r.py?answer=6590 to review our message content and attachment content
552 5.7.0 guidelines. s4si12659992qan.75 - gsmtp
--- Below this line is a copy of the message.
Return-Path: <removed_not_my_email#yahoo.com>
Received: (qmail 9089 invoked by uid 110); 12 Mar 2014 11:08:37 +0100
Delivered-To: mydomain.co.uk-my_email#mydomain.co.uk
Received: (qmail 9083 invoked from network); 12 Mar 2014 11:08:37 +0100
Received: from triband-del-59.177.226.218.bol.net.in (59.177.226.218)
by mydomain.co.uk with SMTP; 12 Mar 2014 11:08:32 +0100
Received: from apache by sdsgtchsccutvijfsjftr. with local (Exim 4.63)
(envelope-from <removed_not_my_email#yahoo.com>)
id YMVXBT-G78HLB-XN
for <my_email#mydomain.co.uk>; Wed, 12 Mar 2014 15:38:31 +0530
To: <my_email#mydomain.co.uk>
Subject: Image has been sent my_email
Date: Wed, 12 Mar 2014 15:38:31 +0530
From: "Evernote service" <removed_not_my_email#yahoo.com>
Message-ID: <7CC92FB2B133AA0F3984DE6BA6E33439#sdsgtchsccutvijfsjftr.>
X-Priority: 3
X-Mailer: PHPMailer 5.1 (phpmailer.sourceforge.net)
MIME-Version: 1.0
etc...
There is no verification on the sender in SMTP. Anyone can send email from whatever emailadress they can think of.
Spam & malware is distributed using this fact. Circumventing certain spamfilters because the sender-address/return-path seems legitimate.
The notice that 'content presents a potential 552-5.7.0 security issue' could mean that an executable was attached. Maybe harmless, but probably a virus or malware.
Not nice, but also not much you can do about it.
To avoid your email address being used, in the future, as source of this practice, protect your email address.
Don't post it on webpages in clear.
Use a temporary emailaddress when subscribing to sites and or mailinglists.
I'm using JavaMail 1.4.7, and a specific message in my mail account contains the header:
Received: from ... (localhost.localdomain [127.0.0.1])
by ... (lmtpd) with LMTP id 25811.002;
Tue, 12 Nov 2013 16:52:11 +0100 (CET)
Subject: CONSEGNA: numerodacontare
Date: Tue, 12 Nov 2013 16:52:11 +0100
And for this message
getReceivedDate() =Tue Nov 12 16:52:10 CET 2013
getSentDate() =Tue Nov 12 16:52:11 CET 2013
So it seems that the message has been received before sending it.
How should this be interpreted?
What is exactly the difference?
Is this behavior common for all mail server?
I am trying to configure sendmail on a Linux Server, so that localhost is not mentioned in the email headers.
I've set the server hostname in /etc/sysconfig/network, and edited the line
Djmydomain.com in my sendmail.cf file (and restarted everything).
But still the email headers have this:
Received: by x.x.x.x with SMTP id xxx;
Sat, 5 Nov 2011 13:48:43 -0700 (PDT)
Received: by x.x.x.x with SMTP id xxx;
Sat, 05 Nov 2011 13:48:41 -0700 (PDT)
Return-Path: <root#mydomain.com>
Received: from mydomain.com ([x.x.x.x])
by mx.google.com with ESMTPS id xxx
(version=TLSv1/SSLv3 cipher=OTHER);
Sat, 05 Nov 2011 13:48:41 -0700 (PDT)
Received-SPF: neutral (google.com: x.x.x.x is neither permitted
nor denied by best guess record for domain of root#mydomain.com) client-ip=x.x.x.x;
Authentication-Results: mx.google.com; spf=neutral (google.com: x.x.x.x is neither permitted nor denied by best guess record for domain of root#mydomain.com) smtp.mail=root#mydomain.com
Received: from mydomain.com (localhost.localdomain [127.0.0.1])
by mydomain.com (...) with ESMTP id xxx
for <me#myemailaddress.com>; Sat, 5 Nov 2011 20:48:44 GMT
Received: (from root#localhost)
by mydomain.com (...) id xxx
for me#myemailaddress.com; Sat, 5 Nov 2011 20:48:44 GMT
Date: Sat, 5 Nov 2011 20:48:44 GMT
From: root <root#mydomain.com>
Message-Id: <XXX>
I don't think the references to localhost.localdomain and localhost should be there - am concerned about the domain getting blacklisted etc.
Can anyone tell me how to remove them?
Thanks!
Fix Fully Qualified Host Name reported by the command below
hostname --fqdn
It is OS/Distribution specific.
OR
Force sendmail use another "this host" name as described in cf/README file
https://www.sendmail.com/sm/open_source/docs/m4/whoami.html