Email for a specific domain gets fowarded withou configuration

arty

• February 12, 2020 00:52

Hi, i'm facing a really wierd issue. email for a domain name(all accounts) is forwarded to another address and i can't figure out why. On the accounts there are no forwarders, no autoresponders, no filters and delivery is set to local. I have checked for correct mx records(i even check spf and dkim but they should be irrelevant for incoming mail) no matter what evey email gets forwarded. here's a the log from one of these messages: [COLOR=rgb(41, 105, 176)]***moderator edit*** do you have any idea?

• 

  arty

  • February 12, 2020 15:34

  log: 2020-02-12 07:49:31 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1j1ktu-000G7Y-FL 2020-02-12 07:49:34 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1j1ktu-000G7Y-FL 2020-02-12 07:49:31 1j1ktu-000G7Y-FL H=somedomain.net[x.x.x.x]:41307 Warning: Message has been scanned: no virus or other harmful content was found 2020-02-12 07:49:31 1j1ktu-000G7Y-FL <= newsletter@somedomain.net H=mailer5.somedomain.net [x.x.x.x]:41307 P=esmtps X=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no S=76368 id=aa82af9457c21d158ccc9713003d4784@somedomain.net T="Management Reporting" for info@somedomain.net 2020-02-12 07:49:31 1j1ktu-000G7Y-FL SMTP connection identification D=somedomain.net O=info@somedomain.net E=forward2office6@somedomain.net M=1j1ktu-000G7Y-FL U=iakarmg ID=523 B=redirect_resolver 2020-02-12 07:49:31 1j1ktu-000G7Y-FL Sender identification U=iakarmg D=somedomain.net S=info@somedomain.net 2020-02-12 07:49:31 1j1ktu-000G7Y-FL SMTP connection outbound 1581486571 1j1ktu-000G7Y-FL somedomain.net forward2office6@mail.ru 2020-02-12 07:49:31 1j1ktu-000G7Y-FL SMTP connection identification D=somedomain.net O=infoinbox@somedomain.net E=forward2office6@somedomain.net M=1j1ktu-000G7Y-FL U=iakarmg ID=523 B=redirect_resolver 2020-02-12 07:49:31 1j1ktu-000G7Y-FL Sender identification U=iakarmg D=somedomain.net S=infoinbox@somedomain.net 2020-02-12 07:49:31 1j1ktu-000G7Y-FL SMTP connection outbound 1581486571 1j1ktu-000G7Y-FL iakarm.gr forward2office6@somedomain.net 2020-02-12 07:49:31 1j1ktu-000G7Y-FL => info+inbox ("info+INBOX"@somedomain.net) R=virtual_user T=dovecot_virtual_delivery C="250 2.0.0 veE8JeuRQ16q8gAAzo1lcw Saved" 2020-02-12 07:49:34 1j1ktu-000G7Y-FL ** forward2office6@mail.ru ("info+INBOX"@somedomain.net) R=dkim_lookuphost T=dkim_remote_smtp H=mxs.mail.ru [x.x.x.x] X=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=yes: SMTP error from remote mail server after end of data: 550 spam message rejected. Please visit ??? ?????? ?????????????? ??? ???? or report details to abuse@corp.mail.ru. Error code: 004FB197B3A51FB5654A0E4298B67FBF035059CE93EAF4D51418008EBE694A711B868DE3BAC0821BF393F5F9369A1AF8C8E6CEAE3BAA6E11. ID: 000000200000D8361A29C6DC. 2020-02-12 07:49:34 1j1ktu-000G7Y-FL Completed 2020-02-12 07:49:34 1j1kty-000GA5-6d <= <> R=1j1ktu-000G7Y-FL U=mailnull P=local S=78546 T="Mail delivery failed: returning message to sender" for newsletter@e-seminars.net 2020-02-12 07:49:34 1j1kty-000GA5-6d Sender identification U=mailnull D=-system- S=mailnull 2020-02-12 07:49:34 1j1kty-000GA5-6d [193.92.125.132] SSL verify error: depth=0 error=unable to get local issuer certificate cert=/C=GR/ST=Attiki/L=Athens/O=Email Business/emailAddress=support@somedomain.net/CN=somedomain.net 2020-02-12 07:49:34 1j1kty-000GA5-6d [193.92.125.132] SSL verify error: depth=0 error=unable to verify the first certificate cert=/C=GR/ST=Attiki/L=Athens/O=Email Business/emailAddress=support@somedomain.net/CN=somedomain.net 2020-02-12 07:49:35 1j1kty-000GA5-6d => newsletter@e-seminars.net R=dkim_lookuphost T=dkim_remote_smtp H=mailer3.e-seminars.net [193.92.125.132] X=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no C="250 2.0.0 Ok: queued as 89CDE414ED04" 2020-02-12 07:49:35 1j1kty-000GA5-6d Completed

  0
• 

  cPanelLauren

  • February 14, 2020 00:43

  Hello, That definitely indicates a forwarder specifically B=redirect_resolver
  What's present in the following: /etc/valiases/domain.tld
  

  0
• 

  arty

  • February 14, 2020 05:24

  Hello, That definitely indicates a forwarder specifically B=redirect_resolver
  What's present in the following: /etc/valiases/domain.tld
  

  
  Thank you for your reply. The file for the specific domain is empty, however i managed to find the problem by deleting the file ~/etc/domain/user which was forwarding the email to the new address. probably the website under the specific user is compromised and needs to be updated. thank you again for your time

  0
• 

  keat63

  • February 14, 2020 07:22

  Whilst I don't profess to understand what's happening here, and thankfully CpanelLauren is on the case, i'd be interested to learn: 2020-02-12 07:49:31 1j1ktu-000G7Y-FL SMTP connection identification D=somedomain.net O=info@somedomain.net E=forward2office6@somedomain.net M=1j1ktu-000G7Y-FL U=iakarmg ID=523 B=redirect_resolver
  is forward2office6@, the same domain as info@

  0
• 

  arty

  • February 14, 2020 07:37

  Whilst I don't profess to understand what's happening here, and thankfully CpanelLauren is on the case, i'd be interested to learn: 2020-02-12 07:49:31 1j1ktu-000G7Y-FL SMTP connection identification D=somedomain.net O=info@somedomain.net E=forward2office6@somedomain.net M=1j1ktu-000G7Y-FL U=iakarmg ID=523 B=redirect_resolver
  is forward2office6@, the same domain as info@

  
  no, it was a totally different domain unknown to me

  0
• 

  cPanelLauren

  • February 14, 2020 16:07

  i managed to find the problem by deleting the file ~/etc/domain/user which was forwarding the email to the new address. probably the website under the specific user is compromised and needs to be updated.

  
  This would have been my next guess, though, the compromise you're referencing wouldn't be the only reason a file was here. What was the file called? User-level filters can also perform this behavior, though its logged as such in th exim mainlog. The file is /home/$user/domain.tld/user/filter
  

  0

Please sign in to leave a comment.