I've been having a problem for the past couple of days where I get a bunch of 'Delivery Status Notifications' from the mail delivery system. It looks like my email account is being used to relay spam, and these messages are from the messages sent to bad addresses. I'm used to the fake spam that pretends to be a delivery failure, but based on the headers these look like they are all coming from a GoDaddy mail server. S, I'm not sure if I have a virus on my PC, or if someone just cracked my email password. I have changed my password and set the SMTP relay's for my email address to 0 for the time being, but I was wondering if there is any way to tell what IP GoDaddy's server received the SMTP send from. Here is what I see in the full headers for one of the bounce emails:
Received: (qmail 10601 invoked by uid 30297); 19 Apr 2016 15:36:51 -0000 Received: from unknown (HELO p3plibsmtp03-07.prod.phx3.secureserver.net) ([22.214.171.124]) (envelope-sender <>) by p3plsmtp12-04.prod.phx3.secureserver.net (qmail-1.03) with SMTP for <[My Email Address Redacted]>; 19 Apr 2016 15:36:51 -0000 Received: from p3plsmtpa07-05.prod.phx3.secureserver.net ([126.96.36.199]) by p3plibsmtp03-07.prod.phx3.secureserver.net with bizsmtp id kFc81s00p53toe501FcrxV; Tue, 19 Apr 2016 08:36:51 -0700 Date: Tue, 19 Apr 2016 08:36:51 -0700 From: Mail Delivery System To: [My Email Address Redacted] Subject: Delivery Status Notification MIME-Version: 1.0 Content-Type: multipart/report; boundary="------------I305M09060309060P_990914610802110" X-Nonspam: None
The headers don't help, and the attached .eml files with the delivery failure message don't have any IP's in the either. Is there any way to get GoDaddy to tell me where the original email came from? If I call customer support is there anything they can do to help me figure this out?
Just FYI, I did run Malwarebytes on my PC after I started seeing these, but it didn't find any viruses, but I'd feel better if I could see that the original messages didn't come from my home IP address.
It is possible that someone is sending email from their own server and just putting your name in the FROM field and/or the Reply-To field. They don't necessarily have to be coming through Godaddy's email system.
Having set your relays to 0, are you still getting delivery failure notifications?
No, now that I have set the relays to 0, I haven't had any more delivery failure notifications. I can still send messages using the GoDaddy webmail interface though, so I'm doing that for the time being.
I've dealt with spam and spoofed addresses before in my day-job. What's bugging me are the headers in these emails. The message originates, according to the headers, from 'unknown'. Typically, I can tell email has been spoofed because the headers will indicate it came from an IP address that has nothing to do with the sender or recipient. Regardless of what the email address claims, the header should have, at least, the IP address of whatever sent the message to the secureserver.net relay. However, all I see is unknown. I know it COULD still be a spoofed sender, but it has my spider senses tingling!