We recently received a whole bunch of notification emails stating an email that apparently originated from our servers was blocked for being spam, but we can't find the source emails on our server, so wanted to ask if we're missing anything obvious.
Below is the notification email. [email protected]
is our domain email address:
Notification email:
A message that you sent was rejected by the local scanning code that checks incoming messages on this system. The following error was given:
This message was classified as SPAM and may not be delivered
------ This is a copy of your message, including all the headers. ------
Received: from amcham by vps62989.inmotionhosting.com with local (Exim
4.95) (envelope-from [email protected]) id 1nrvvQ-0002CA-NB for
[email protected]; Thu, 19 May 2022 23:15:48 -0700
To: [email protected] Subject: Contact
X-PHP-Script: amchamec.com/index.php/contactanos for 104.149.136.246
X-PHP-Originating-Script: 1003:class.phpmailer.php
Date: Fri, 20 May 2022 06:15:48 +0000
From: "? Donna just viewed your profile! Click here: https://spamPornURLRemoved.com ?"
[email protected] Message-ID:
[email protected] MIME-Version: 1.0
Content-Type: text/html; charset=utf-8Customize this e-mail also. You will receive it as administrator.
Nombre y Apellido:? Donna just viewed your profile! Click here: https://wondergirl22.page.link/29hQ?bvh9r ?
E-mail:[email protected]
{CompanySize:caption}:{CompanySize:value}
{Position:caption}:{Position:value}
{ContactBy:caption}:{ContactBy:value}
{ContactWhen:caption}:{ContactWhen:value}
Some bullet points:
- The envelope was from
[email protected]
This is a genuine email address on our servers. This is NOT a mailbox but a forwarder that comes to my business email mailbox. - Checking Exim there is no record of the
1nrvvQ-0002CA-NB
mail ID or[email protected]
mail id except the above message. class.phpmailer.php
does not exist on this server, but we do use PHP and clients do send mailings using PHPMailer (but not from this domain).- Our servers always use PTR, DKIM, SPF, DMARC , etc.
Our problem
So, there have been enough of these notification emails I'm not sure they're fake, but checking Exim Logs can't find these id's or email addresses in the logs so am not sure what's going on. I can only conclude that the email is entirely 3rd party but somehow they're "piggybacking" on our domain as the "envelope".
Question
What can we do to prevent 3rd party domains using our domains as "envelopes" for emails they send?
If the illustarted email above is a spam or fake, a) Is this likely and b) Why?