wila
Verified User
- Joined
- Dec 15, 2017
- Messages
- 81
Hi,
I was going through the junk folder on my company main (mycompany.com) email account.
That email is not hosted by myself for reasons of having a backup plan in case my email server goes down, instead it is hosted by pcextreme.nl
What caught my eye was that some spam was sending emails to mycompany.nl account, but somehow it ended up in mycompany.com account. Those are not the same email servers! (the mycompany.nl account is hosted via directadmin)
The DNS settings for the mx server are different.
When I checked the headers of the spam, it seemed like the spam got send via my directadmin server. Huh?
So I go and check the exim.log file and it did indeed have an entry for that same email.
As you see they merge "mycompany.nl" and "mycompany.com" into the email addresses in order to bypass some of the filtering.
Those same emails are also in the admin queue.
I'm trying to understand what happened here and I admit that I'm not quite getting it.
Somebody else here as an idea?
Is it backscatter somehow?
Sorry I anonymized my company name with a search & replace and changed them into "mycompany.nl" and "mycompany.com"
Can't reproduce the email headers anymore as I pressed delete on the junk folder and it did end up getting removed. But I'm sure this kind of spam will happen again.
Thanks!
--
Wil
I was going through the junk folder on my company main (mycompany.com) email account.
That email is not hosted by myself for reasons of having a backup plan in case my email server goes down, instead it is hosted by pcextreme.nl
What caught my eye was that some spam was sending emails to mycompany.nl account, but somehow it ended up in mycompany.com account. Those are not the same email servers! (the mycompany.nl account is hosted via directadmin)
The DNS settings for the mx server are different.
When I checked the headers of the spam, it seemed like the spam got send via my directadmin server. Huh?
So I go and check the exim.log file and it did indeed have an entry for that same email.
Code:
2019-05-23 16:50:07 1hTp2l-0005hm-OH <= [email protected] H=hungrest.xyz [209.141.52.187] P=esmtp S=5028 DKIM=hungrest.xyz [email protected] T="Maak het leven nu makkelijker" from <[email protected]> for [email protected]
2019-05-23 16:50:08 1hTp2l-0005hm-OH [185.87.184.60] SSL verify error: certificate name mismatch: DN="/CN=*.route25.eu" H="primary.mail.pcextreme.nl"
2019-05-23 16:50:09 1hTp2l-0005hm-OH ** [email protected] <[email protected]> F=<[email protected]> R=lookuphost T=remote_smtp H=primary.mail.pcextreme.nl [185.87.184.60] X=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no: SMTP error from remote mail server after end of data: 550 A URL in this email (acter4multi . xyz) is listed on https://spamrl.com/. Please resolve and retry
2019-05-23 16:50:09 1hTp2n-0005hs-Er <= <> R=1hTp2l-0005hm-OH U=mail P=local S=6711 T="Mail delivery failed: returning message to sender" from <> for [email protected]
2019-05-23 16:50:09 1hTp2l-0005hm-OH Completed
As you see they merge "mycompany.nl" and "mycompany.com" into the email addresses in order to bypass some of the filtering.
Those same emails are also in the admin queue.
Code:
1hTp2n-0005hs-Er-H
mail 8 12
<>
1558623009 0
-received_time_usec .460854
-ident mail
-received_protocol local
-body_linecount 136
-max_received_linelength 125
-allow_unqualified_recipient
-allow_unqualified_sender
-localerror
XX
1
[email protected]
167P Received: from mail by mail.mycompany.nl with local (Exim 4.92)
id 1hTp2n-0005hs-Er
for [email protected]; Thu, 23 May 2019 16:50:09 +0200
038 X-Failed-Recipients: [email protected]
029 Auto-Submitted: auto-replied
059F From: Mail Delivery System <[email protected]>
050T To: [email protected]
100 Content-Type: multipart/report; report-type=delivery-status; boundary=1558623009-eximdsn-1736375805
018 MIME-Version: 1.0
059 Subject: Mail delivery failed: returning message to sender
048I Message-Id: <[email protected]>
038 Date: Thu, 23 May 2019 16:50:09 +0200
I'm trying to understand what happened here and I admit that I'm not quite getting it.
Somebody else here as an idea?
Is it backscatter somehow?
Sorry I anonymized my company name with a search & replace and changed them into "mycompany.nl" and "mycompany.com"
Can't reproduce the email headers anymore as I pressed delete on the junk folder and it did end up getting removed. But I'm sure this kind of spam will happen again.
Thanks!
--
Wil