Sender is marked as from on one domain

Aubrey Smith

• August 29, 2018 02:49

This is a very strange thing that is happening and I have no idea why! I have about 60 cpanel accounts on my whm and have 1 client that is appearing in the 'from' portion of the email header from 1 particular domain that is not on my server. This doesnt happen all the time only occasionally, the rest of the time it appears as it should I have tried taking the account off the server durning which it is fine but then add it back and it starts up again. Can anyone shed light on why this may be happening?

• 

  cPanelLauren

  • August 29, 2018 17:06

  Hi @Aubrey Smith Would it be possible for you to show an example of this? Thanks!

  0
• 

  Aubrey Smith

  • September 21, 2018 06:26

  Hi, Sorry for the long wait, i didn't receive a notification. Below is the header information of the email that came into my server. I have bolded the email of email on my server (nicky@example.com) that this is happening to. This person has no connection to the email conversation and only happens when emails from example.net to anyone on my server. But does not happen every time. Very perplexing indeed! Return-Path: Delivered-To: abby@example.com.au Received: from poppy.domain.com by poppy.domain.com with LMTP id iOzeENiFPFvPRwAAhLtWiA for ; Wed, 04 Jul 2018 16:31:20 +0800 Return-path: Envelope-to: abby@example.com.au Delivery-date: Wed, 04 Jul 2018 16:31:20 +0800 Received: from [103.204.117.14] (port=31988 helo=emailserver.example.net) by poppy.domain.com with esmtps (TLSv1.2:ECDHE-RSA-AES128-SHA256:128) (Exim 4.91) (envelope-from ) id 1fadC4-0004mQ-1j for abby@example.com.au; Wed, 04 Jul 2018 16:31:20 +0800 Received: from COBEX01.example.net (10.1.2.7) by COBEX01.example.net (10.1.2.7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3; Wed, 4 Jul 2018 16:31:17 +0800 Received: from COBEX01.example.net ([fe80::8d73:cae:e308:602f]) by COBEX01.example.net ([fe80::8d73:cae:e308:602f%12]) with mapi id 15.01.1466.003; Wed, 4 Jul 2018 16:31:17 +0800 From: Someusr Name To: 'Someotherusr Name' Subject: RE: Some Subject Here Thread-Topic: Some Subject Here Thread-Index: AQHUE28OnQmBtl4l2kS8grPj5viLU6R+u9Cg Date: Wed, 4 Jul 2018 08:31:17 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-AU, en-US Content-Language: en-US X-MS-Has-Attach: yes X-MS-TNEF-Correlator: x-originating-ip: [10.1.102.142] x-tm-as-product-ver: SMEX-12.5.0.1300-8.2.1013-23946.000 x-tm-as-result: No-15.619400-8.000000-10 x-tmase-matchedrid: oQHFeo+4SgNeWaE+5oz2vXQ8D+SLaQjsueok1chxwqvJ3jhK5xvrvZdq 9LYE92AUag/ZDTxTPRjDa1qWPNOExuBgp+G3IXxr8cWgFw6wp7M9n3n8h2QE9KUjwzkSTDLjAWT rDhhyqaFI5aNiVPKgsZhyXgGCpXKTwx0jRRxcQfOPaLJ/Ca3ST2ji04EzOjY4UeZg5Ufab19OK+ rVow/DPjWBtSWZ+bE6Ij0zFI5DoJItUSMDHceMrqTsE8Z/jrr+QhAdOBPjXjQ9fB2/hA9PoBDL1 tPQClCD9+5g8PSr1B5cunHFpy8xP3JZsqnL5DRjQ8vqmp6AVLr2V9zvEPNG6ASjeILmO9GTq2Ej 9GqE5JdixVN0DQlEhJmug812qIbzojQrbrPpzzobVUVEY6U/rzdl3q8F7f2xlSmjoztwzUb2mhG QByUXXmHIw6FQ9nued5uaCCASMwtDg5C+xRTuyjMN4xFZ0k1M972+TNtC35QJawX7HZeN/mZfBY YpSxmYlwt7DABrvp+dVNZaI2n6/xK4mC5U2E9zOOdocdvKxxVj+u4uef6NXJHFc+/H6SJ7sq75W 6izw21s1yhxEU7UTT/cZn50ezHq8Fv0qmY9/pjtJMwDF2WngdskPjOjYTfV6GThYLBaMkb0+aot 8KA1pxlkYp2uIMJ1Fbs4KScjom4chXTZ3Wukbw== x-tm-as-user-approved-sender: No x-tm-as-user-blocked-sender: No x-tmase-result: 10--15.619400-8.000000 x-tmase-version: SMEX-12.5.0.1300-8.2.1013-23946.000 Content-Type: multipart/related; boundary="_007_e33a05966b34410588f95ae620d49b8ebunburywagovau_"; type="multipart/alternative" MIME-Version: 1.0 X-From-Rewrite: rewritten was: [ateede@example.net], actual sender does not match
  

  0
• 

  cPanelLauren

  • September 21, 2018 16:53

  Hi @Aubrey Smith The issue you're referencing is:

  From: Someusr Name

  
  Correct? Can you clarify a couple of things for me: 1. Can you provide the output of the following: cat /etc/exim.conf.local
cat /etc/vfilters/example.com
  2. Do you have any external services for mail configured?

  0
• 

  Aubrey Smith

  • September 22, 2018 01:46

  Correct, its the "From" that is being filled by the user that it shouldn't. The results for 1. cat /etc/exim.conf.local
@AUTH@ @BEGINACL@ @CONFIG@ chunking_advertise_hosts="" daemon_smtp_ports = 25 : 587 : 465 smtp_banner = "${smtp_active_hostname} ESMTP Exim ${version_number} \#${compile_number} ${tod_full} \n We do not authorize the use of this system to transport unsolicited, \n and/or bulk e-mail." smtp_active_hostname = ${lookup{$interface_address}lsearch{/etc/mail_reverse_dns}{$value}{$primary_hostname}} message_id_header_domain = $smtp_active_hostname @DIRECTOREND@ @DIRECTORMIDDLE@ @DIRECTORSTART@ @ENDACL@ @POSTMAILCOUNT@ @PREDOTFORWARD@ @PREFILTER@ @PRELOCALUSER@ @PRENOALIASDISCARD@ @PREROUTERS@ @PREVALIASNOSTAR@ @PREVALIASSTAR@ @PREVIRTUALUSER@ @RETRYEND@ @RETRYSTART@ @REWRITE@ @ROUTEREND@ @ROUTERMIDDLE@ @ROUTERSTART@ @TRANSPORTEND@ @TRANSPORTMIDDLE@ @TRANSPORTSTART@
  And there were no results for cat /etc/vfilters/example.com
  2. Some of the Cpanel accounts have external email routing but besides that there is no other email services I have installed on this server.

  0
• 

  cPanelLauren

  • September 24, 2018 13:09

  HI @Aubrey Smith I don't feel like any of that could lead to the behavior you're seeing. Can you please open a ticket using the link in my signature? Once open please reply with the Ticket ID here so that we can update this thread with the resolution once the ticket is resolved. Thanks!

  0

Please sign in to leave a comment.