Several spammers are sending email from fake email addresses from my domain (e.g. bob@mydomain.com, where bob is not a valid email address).<p>Not sure if they are
1) Sending them from other computers and just spoofing the headers to make it appear that it's from bob@mydomain.com<p>or<p>2) Somehow hacked into my VPS and sending them from my actual server.<p>Below are some emails I get from websites that bounce the spam that is being sent:
http://pastebin.com/Tb4Th8kM<p>The two problems that arise from this are that my mail folder gets full from all the bounced email, and also that my domain is now on several spam lists and I can't send email from any legitimate address on my domain.<p>Can you guys help with suggestions on how I can go about:
a) Determining whether (1) or (2) above is happening
b) Stopping it if possible
c) If not possible to do (b), at least minimize the damage<p>Thanks
First, look at the headers to see where the message originated. If it didn't originate from your VPS or mail server, you're probably okay.<p>You should google and implement SPF and DKIM for your domain. SPF is just a DNS change that says what hosts are allowed to send email for your domain, and DKIM is a DNS + mailserver change that will sign legit outbound email with a key that MTAs can verify to make sure that the email is legit (and bounce it if it's not). That will stop the vast majority of fraudulent email in its tracks.<p>Looking at the email you provided:<p><pre><code> Received: from __MY_USERNAME__ by __MY_WEBSITE__.com with local (Exim 4.80.1)
X-PHP-Script: __MY_WEBSITE__.com/ for 127.0.0.1
</code></pre>
I'd bet good money that you have a compromised or vulnerable mailer script on your machine somewhere and it's being exploited in an automated fashion. Check all of your mailers for known vulnerabilities and patches.<p>It may be wise to assume that the box is compromised, save your known good data and code, torch the whole thing and rebuild it piece by piece, validating the pieces as you go. That's extreme, but when dealing with a potential machine breach, you can't really ever be sure that you're clean without nuking it from orbit.
How does the headers of a real massage (from your server) looks like? It’s strange that the bounced messages in Pastebin only have one “Received” header, without IP information.<p>I just looked at the last message I got and it has 10 headers with Received, X-Received or Received-SPF, with a lot of IP information.<p>If they are spoofing the email, then “DomainKeys Identified Mail (DKIM)” may help <a href="http://www.dkim.org/" rel="nofollow">http://www.dkim.org/</a> . I never deployed it to a server, so you must seek advice from someone with real word experience.