1
I am using custom email addresses formed with my domain name. I am using POP but with the option to not delete the emails from the server (the server is on the cloud not my own) so email clients in different PCs can still get the same email.
Today I received a "Mail Delivery Failed" notice for an email I have definitely not sent, to a what seems to be a random email address. The message of the email I supposedly sent is just "doc".
I have checked cpanel's track delivery and there is no email sent from my address, only the delivery failed notice. How is that possible?
What is happening and what can I do?
Below is the notification.
This message was created automatically by mail delivery software.
A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es)
failed:
nik7784527485@gmail.com
host gmail-smtp-in.l.google.com [74.125.195.27]
SMTP error from remote mail server after RCPT TO:<nik7784527485@gmail.com>:
550-5.1.1 The email account that you tried to reach does not exist. Please try
550-5.1.1 double-checking the recipient's email address for typos or
550-5.1.1 unnecessary spaces. Learn more at
550 5.1.1 https://support.google.com/mail/?p=NoSuchUser v11si20495962pfm.249 - gsmtp
Reporting-MTA: dns; server205.web-hosting.com
Action: failed Final-Recipient: rfc822;nik7784527485@gmail.com Status:
5.0.0 Remote-MTA: dns; gmail-smtp-in.l.google.com Diagnostic-Code: smtp; 550-5.1.1 The email account that you tried to reach does not
exist. Please try 550-5.1.1 double-checking the recipient's email
address for typos or 550-5.1.1 unnecessary spaces. Learn more at 550
5.1.1 https://support.google.com/mail/?p=NoSuchUser v11si20495962pfm.249 - gsmtp
Below is the email header.
To: nik7784527485@gmail.com
Return-path: (I have deleted thi)
Received: from (I have deleted this)
helo=(I have deleted this) by server205.web-hosting.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.92) (envelope-from "This is my actual email address") id 1iMvws-0034EY-Fe for nik7784527485@gmail.com; Tue, 22 Oct 2019 11:19:55 -0400
Message-ID: <c7346356-3178-340a-75fd-e1966ccb2063@"This is my actual email address">
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101
Thunderbird/68.1.2
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Content-Language: en-US
X-OutGoing-Spam-Status: No, score=0.8
I think we need more detail on your setup.
Is this a personal gmail account set up with a domain name by forwarding mail in cPanel? Or gsuite? Or something else?
How have you got the email set up in thunderbird? If it's pop and is set to delete items from the server then it's possible one client got there first and removed the mail before the other clients had a chance to grab a copy, but hard to say without knowing more.
Also normally mail delivery failed notifications will give more information than just that, if you could post that it may help identify the source of the mail. – Ciaran McKenzie – 2019-10-22T16:47:26.720
@CiaranMcKenzie I will edit my question. – Adam – 2019-10-22T16:48:18.203
1Possibly a spammer spoofing your email address as the source of the email (so that recipients will think it's a known address). – Steve Rindsberg – 2019-10-22T17:03:12.533
I am still unsure of the answer here. It’s possible that someone spoofed your address and tried to send the mail. If that mail had your address as the return path then DNS lookups would have directed this notification to you. All I can advise to prevent this in future is to ensure you properly configure spf and dkim records for your domain to prevent the spoofing of your address, and configuring DMARC reports to get feedback on unauthorised or spoofed senders. It may also be prudent to change your password. With the current information and without Dmarc reports it’s hard to tell any further. – Ciaran McKenzie – 2019-10-22T17:39:35.583
@CiaranMcKenzie I am trying to understand whether this is a spoofing attack or my PC is compromised. I have a signature text in all my emails and the returned one had that text. If that was spoofing I guess that this wouldn't be the case. – Adam – 2019-10-22T18:19:51.797