# Unauthorized email being sent from our server



## yoojin (May 18, 2006)

Hello all and great site. I am new to the site and need your assistance.

We recently had an email sent out from our email server using one of our accounts. I am unable to verify if it was sent from the server itself or just a spoof that used our information in the reply.

Is there a way to check to see from the email if it was sent from our server or just the user filling in the reply to. We are worried that this may occur again and our server being marked as spam.

We currently do not have a dedicated server of our own, but use that from our web hosting company. They use SqWebMail as their email server. That is all I know. I have contacted the hosting company, but am not sure they can figure this one out.

One last thing - is there a report of some sort we can send out to some authority figure like the websites hosting company of abuse? Can any legal action be taken? The email is some sort of spam promoting www.avolcy.qhealthzone.com the from address is from [email protected] but all replys and unsubscribes shows our email address.

Any help or direction you can provide is greatly appreciated.


----------



## MicroBell (Sep 21, 2004)

You should be able to check the messages header so see were it came from and who it was going to and the path it took. For example in Outlook/Outlook Express (I'm sure SqWebMail will have something simular) you can highlight the messsage..click properties...then details..then message source and you get something simular to this displayed.




> Return-Path: <[email protected]>
> Received: from ispmxaamta01-gx.alltel.net ([66.179.50.67]) *<--last path*
> by ispmxmta01-srv.alltel.net with ESMTP
> id <[email protected]x.alltel.net>
> ...



*<******@******.net>;* = My Email address *(removed)*

If the email was legit....your email server and it's IP should be displayed. If it's being "Spoofed" useally your email server name will be displayed...but at some other IP that's being used. So the email LOOKS like it came from you...but it really came from the bad IP address.


----------



## yoojin (May 18, 2006)

Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: (qmail 29558 invoked by uid 523); 17 May 2006 19:26:14 -0000
Mailing-List: contact [email protected]; run by ezmlm
Precedence: bulk
X-No-Archive: yes
List-Post: <mailto:[email protected]>
List-Help: <mailto:[email protected]>
List-Unsubscribe: <mailto:[email protected]>
List-Subscribe: <mailto:[email protected]>
Reply-To: [email protected]
Delivered-To: mailing list [email protected]
Received: (qmail 29441 invoked from network); 17 May 2006 19:26:11 -0000
Content-class: urn:content-classes:message
Subject: Feeling Well Begins with Living Well
X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0
Date: Wed, 17 May 2006 15:24:03 -0500
Message-ID: <[email protected]>
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator: 
Thread-Topic: Feeling Well Begins with Living Well
Thread-Index: AcZabby8jpaTQt8uQp+1k1BjxYKRHAAABCmAAI7sAwAHUYLAoA==
From: =?iso-8859-1?Q?Alex_Volcy_S=E1nchez?= <[email protected]>


So this is what the email looked like. Looks like the address cannot be viewed... :4-dontkno


----------



## MicroBell (Sep 21, 2004)

everybody-return-146-ouremail.com <--is this your companys mail address?

This looks like a "Spoof" email were some of the headers were stripped and the TO: and FROM: lines contain your email address (Typical spam ploy). I would double check with your email service if you have the following account.."qmail 29558 invoked by uid *523*"

uid=User ID 523

*[email protected]* <--this entry looks like the spam address and if it's not related to your network or business..then it should be blocked.


----------

