Skip to main content

EXIM emails coming from system-filter@

PHILLIP BOOTH
Hello everyone. I have a 2 week old WHM/Centos/Cpanel server. I have added a script to /etc/cpanel_exim_system_filter that forwards a copy of all outgoing emails on the server to an email account. What I have noticed is that some emails are being sent from system-filter@xxmyserverxx. Some of these are genuine emails including reply's, some is spam directed to an email account on the server and some is spam "from" an external domain to an external email account, which concerns me. By looking at the email header is seems that the says "X-From-Rewrite: rewritten was: [fretwork@example.com], actual sender is not the same system user" this is not an account holder on my server. The "reply-to" for this email actually reply's back to system-filter@xxmyserverxx What I would really like to know is what is 1) what is system-filter@ 2) and how can I configure this to stop sending anything from this address, Google is a desert when searching for this. Hull Header is....
Return-path: Envelope-to: system-filter Delivery-date: Sat, 05 Dec 2015 10:20:28 +0000 Received: from rgout0405.bt.lon5.domain.co.uk ([65.20.0.218]:44721) by xxmyserverxx with esmtp (Exim 4.86) (envelope-from ) id 1a59x6-0002og-J0 for xxAN EMAIL ACCOUNT ON MY SERVERxx; Sat, 05 Dec 2015 10:20:28 +0000 X-OWM-Source-IP: 86.168.167.105 (GB) X-OWM-Env-Sender: fretwork@example.com[/EMAIL] X-CTCH-RefID: str=0001.0A090201.5662BA34.009E,ss=1,re=0.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=512,sb=0 X-Junkmail-Premium-Raw: score=29/50,refid=2.7.2:2015.12.5.91516:17:29.943,ip=86.168.167.105,rules=__USER_AGENT, __HAS_FROM, __PHISH_FROM2, __FRAUD_WEBMAIL_FROM, FROM_NAME_ALLCAPS, __TO_MALFORMED_2, __TO_NO_NAME, __HAS_MSGID, __SANE_MSGID, __MSGID_APPLEMAIL, __MIME_VERSION, __CT, __CTYPE_HAS_BOUNDARY, __CTYPE_MULTIPART, __CTYPE_MULTIPART_MIXED, __ANY_URI, __FRAUD_BODY_WEBMAIL, __URI_NO_WWW, __URI_NO_PATH, __FRAUD_CONTACT_NUM, __LINES_OF_YELLING, __HAS_HTML, HTML_NO_HTTP, BODY_SIZE_10000_PLUS, BODYTEXTP_SIZE_3000_LESS, __MIME_HTML, __TAG_EXISTS_HTML, __STYLE_RATWARE_NEG, RDNS_GENERIC_POOLED, __URI_NS, SXL_IP_DYNAMIC[105.167.168.86.fur], HTML_90_100, RDNS_SUSP_GENERIC, __PHISH_FROM, __PHISH_SPEAR_STRUCTURE_1, RDNS_SUSP, __FRAUD_WEBMAIL, NO_URI_HTTPS X-CTCH-Spam: Suspect Received: from [192.168.1.125] (86.168.167.105) by rgout04.bt.lon5.domain.co.uk (8.6.122.06) (authenticated as fretwork@example.com) id 566198C40016A304; Sat, 5 Dec 2015 10:18:48 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=example.com; s=btcpcloud; t=1449310785; bh=lAHtj7LMFcZtMynlCbf6OzCaw5kZKEWgH5716HEj24s=; h=Date:Subject:From:To:Message-ID:Mime-version; b=GCOUY9/KiQYY3nNZMydOsitBSs4F6V0ujGa+nGMONPrQt+dX1fmQ4o8T1hFIGiC+GpmfxiMmmXSD0YXMvKVcrbnV0KsvTblRg3L+FZVKMYtA+B8XFr2zxzSEU9qsk7OAkhRqeXiP3tsHofGz0vJhKJKb3v/x08l74fRssb8ngpo= User-Agent: Microsoft-MacOutlook/0.0.0.151105 Date: Sat, 05 Dec 2015 10:19:30 +0000 Subject: Newsletter 21 From: To: "someuser@outlook.com" Message-ID: Thread-Topic: Newsletter 21 Mime-version: 1.0 Content-type: multipart/mixed; boundary="B_3532155571_2085669671" X-From-Rewrite: rewritten was: [fretwork@example.com], actual sender is not the same system user Thanks for your help

Comments

4 comments

Date Votes
  • PHILLIP BOOTH
    Update. I can confirm that emails are headed from system-filter@xxmyserverxx when the are the account on the server is CC or BCC in the email with the following setting Service Configuration > Exim Configuration Manager > Filters > System Filter File = /etc/cpanel_exim_system_filter default Can anyone please tell me if this is a bug as I really do not think this should not be happening?
    0
  • cPanelMichael
    Hello :) Could you search for one of the offending messages in /var/log/exim_mainlog with a command such as:
    exigrep user@domain /var/log/exim_mainlog*
    Let us know the details of a specific message from the output. Thank you.
    0
  • Novi Singers
    Check if you have "EXPERIMENTAL: Rewrite From: header to match actual sender" enabled in Exim configuration manager. If yes, try to disable it and check if it solved the problem. If yes, I can provide more information what to do next.
    0
  • cPanelMichael
    Hello :) Could you verify if the issue occurs in cPanel version 54? You can modify your update settings to use the "Current" build tier per the instructions at: Update Preferences - Documentation - cPanel Documentation It's possible the issue is addressed with internal case CPANEL-2856. Thank you.
    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post