0

One of my clients is getting thousands of "Delivery Status Notification (Failure)" emails per day and it's replied to random email accounts that don't exist on the domain. The content of the emails that bounce back have spam links to porn sites. So someone is obviously using the domain to send out spam, but i'm not sure if they've hacked the server or if they're just spoofing.

I have been looking into the email settings in cPanel to see if I can restrict this. I came across the DKIM and SPF settings under Email Authentication. I've enabled both of these but the emails keep coming through.

Paul Mason
  • 101
  • 1
  • The From address on an e-mail is akin to writing a From address on a regular snail mail. There isn't much that can be done. See @Tom Marenthal's comment. – artifex May 31 '13 at 20:10

1 Answers1

0

The sender address is very easy to spoof. You can do it with nothing more than a command prompt/shell and a telnet command.

It's almost certainly not a compromised system, this kind of thing goes on all the time and there is very little you can do about it.

If you are concerned, check the message headers as that will reveal the IP source of the message.

Bryan
  • 7,538
  • 15
  • 68
  • 92
  • Thanks Brian, the message headers say `Received: from smtp-data2.ironport1.cbr1.mail-filtering.com.au ([117.55.227.33]:37736) by ju001lcs17.syd.the-server.net.au with esmtp (Exim 4.80) id 1UiUKJ-001Uhm-E7 for isabelle_frye@example.com; Sat, 01 Jun 2013 04:45:24 +1000 Received: from localhost by smtp-data2.ironport1.cbr1.mail-filtering.com.au; 01 Jun 2013 04:45:21 +1000 ` – Paul Mason May 31 '13 at 19:41
  • Because they're bounced back emails won't the headers come from the bounce back service on the server and not the original sender? – Paul Mason May 31 '13 at 19:43