is my site Mail being hacked?

Hi guys,

I have noticed that my site email system has sent out email containing spam.
The reason i know is because the other guys who receive my mail, emails me back and i saw the sender is . where xxx is any name.

Is my mail server being hacked? How can i rectify the problem?

cheers,

 

Just because the sender of the email purports to be from your domain does not mean that your machine is the source of the email. You would need to see the full header of the email message which was sent to that individual. You need to examine the "Received:" lines in the email header to see if your server's IP address is present. It looks like:

Received: from mail.MYSERVER.ca ([000.000.000.000] - or -
Received: from 000.000.000.000

where the zeroes are your IP address.

If it not, then you are just a hapless victim of a spammer. If it present, you will need to hunt the cause of the problem. These include a misconfigured mail server, poorly written scripts, and having an intruder.

 

thanks clancey, what if i am a victim of spammers? can i do something about it?

 

If you are using scripts all you can do is to make sure your are running the latest versions.

If you are using cpanel and want to get rid of those bounced emails make sure your default email address is set to :blackhole: so that any email that is sent to that is not a legit email address will be discarded.

 

Set it to :fail: because then the email doesn't even get to your server.

Otherwise there is nothing you can do about spammers using your domain as the sender.

 

Actually if you set it to :fail: it responds back to the original sender using additional resources, which is why you get the email notifying you of the bounce.

Set it to :blackhole: it gets deleted.

 

Unfortunately, if the messages are being sent from other servers and your email is being used as the return address, there is nothing you can do about.

A year or so ago, a spammer used my email address for the entire list. I was getting so many rejected email messages that I needed to close that account.

 

This is called email backscattering which is causing lots of problems these days.

The sender has nothing to do with the domain from which the email appears to be comming from, normally these emails are sent from infected home pc:s etc.

When an email bouches it sends a bounch notification to reply address although it has nothing to do with the original sender of the domain. These bouches can cause severe email traffic to a server, when there are several bounces every second coming in.

Unfortunately there is nothing the domain owner or host can do about this. Reporting ip:s etc wont help as there are thousands of pc:s infected and used for these actions. SPF records wont help you.

To make the load caused by this use :fail: instead of :blackhole: For more information why you should use fail instead of blackhole: http://www.configserver.com/free/fail.html