One user receives, one doesn't. Same domain, same client.
I have one serious mystery on my hands, a puzzle that might make some people's (like me) heads explode. If anyone is patient enough to read this I'm grateful. I think I may have discovered possibly the strangest email bug ever encountered. Maybe you can help solve it?
I apologize in advance for any silly analogies or anecdotes that I must use to convey this mystery.
This is actually husband and wife team who run a small business via their web site that they host with me, and this is really happening with them right now. I'll call them "Jack" and "Jill" and call their domain "example.com". They have a friend whom I'll call jillsfriend@msn.com[/EMAIL] because Jill's friend is a relevant clue in the puzzle.
Jack and Jill run example.com and their POP email addresses are jack@example.com[/EMAIL] and jill@example.com[/EMAIL]
Here's what happens:
If I send an email to jack@example.com[/EMAIL] - Jack receives the email.
If I send an email to jill@example.com[/EMAIL] - Jill does not receive it, but Jack does and he's not supposed to.
In fact - EVERY email sent to Jill, Jack receives, but Jill does not.
WITH ONE EXCEPTION - if jillsfriend@msn.com[/EMAIL] sends an email to Jill, Jill receives it and Jack does not. (This will be the only situation in which things work correctly - JillsFriend can send email to Jill and it goes right to Jill instead of Jack, just like it's supposed to).
If ANYONE OTHER than JillsFriend sends an email to Jill she never receives it. (But jack@example.com[/EMAIL] does).
Now I'm sure your first thought is the same as mine - must be a filter set somewhere. Right? But no, there isn't.
There are absolutely no filters at all in Jack & Jill's cPanel. Nothing in Global Email Filters. Nothing in Email Filters. No filters in their mail clients.
There is absolutely no reason that Jack should be receiving emails sent to Jill
But wait - the plot thickens...
When I log in to Jack & Jill's cPanel and click "Track Delivery" and put jill@example.com[/EMAIL] in the "Recipient Email" field, and select "Show Successes", I can see the following happen...
I send an email to Jill ONLY, but it goes to BOTH Jill AND Jack (and Jack receives it, but Jill does not!).
- In the "Event" column there is a Yellow filter icon next to EVERY message to Jill which when moused-over says "This message was discarded by an email filter or spam detection software". (EXCEPT for messages from JillsFriend.. those have a Green icon of success).
- In the "Event" column there is a Green successful icon next to those same EXACT messages for Jack (and Jack should not even be receiving the messages because they were sent only to Jill's email address).
- Every message from anyone (except JillsFriend) sent to Jill goes to both Jill AND Jack (even though it's not supposed to) at the EXACT same time-stamp, right down to the second. But jill@example.com[/EMAIL] shows the Yellow icon and she never receives it, while jack@example.com[/EMAIL] shows the Green icon and he receives it.
- I sent a message ONLY to Jill and the time-stamp shows exactly Feb 12, 2016 4:57:16 PM, and shows "Filtered" in the "Result" column. (screenshot attached)
- That same exact message also went to Jack (even though I didn't send it to him) and the time-stamp shows exactly Feb 12, 2016 4:57:16 PM, and shows "Accepted" in the "Result" column. (screenshot attached)
This can be repeated over and over, from any address except for JillsFriend.
Did I mention that there are absolutely NO Filters set in their cPanel?
This has been running me in circles for hours trying anything I can to figure out why every message (except for ones from JillsFriend) sent to Jill is also sent to Jack, but Jill never receives them and Jack does.
They do not share email accounts.
They do not have any filters set in cPanel nor in their email client.
There is no apparent reason why Jill's messages are all also sent to Jack.
There is no apparent reason why Jill does not receive the messages (Yellow icon) and Jack does receive them (Green icon).
The only thing I can come up with in my imagination is that at some point during the 7 years that Jack & Jill have been hosting example.com with me, maybe one of them created a poorly crafted filter and then deleted it from cPanel, but somehow the server / cPanel hung onto it. I know that's a stretch, but I've got nothing else. (And they don't recall ever creating a filter).
So I come to you, wise ladies and gentlemen of the cPanel forum, to pose this question before my head explodes - what the hell am I missing? :confused:
Much thanks for any ideas before I swallow my pride and submit a support ticket to cPanel. :(
34721
-
What a great story! It sounds like there may be more than one problem. First, you have the problem of all of jill's email going to jack. You didn't mention forwarders, but is there by any chance a forwarder set up for all of jill's mail to be sent to jack, or to another forwarder that goes to jack? it seems like you would have caught that when you traced the email, but I have to ask. The second problem is that none of jill's email, except from jillsfriend, gets through. For that, I'd try temporarily disabling SpamAssassin and re-testing. 0 -
Thank you for the reply! I forgot to mention that indeed the first thing I looked for was a Forwarder, and neither Jack nor Jill have any Forwarders set to each other. In regard to SpamAssassin, that's for the most part disabled as I run ConfigServer's Mailscanner script. I've gone through all of the settings in Mailscanner to confirm that there isn't anything there that would cause Jill's email to be filtered and forwarded to Jack. However, I will certainly take your advice and perform a real-time test with Jack & Jill together over the phone while I temporarily disable Mailscanner on their account and watch what happens in real-time. I hope to be able to get on the phone with Jack tomorrow to run this test. So far we've gone to the lengths of deleting / re-creating Jill's email account in cPanel, and removing all accounts from standard email clients and setting them up as POP accounts within Jack & Jill's respective Gmail accounts. This way we know that the only thing logging into or out of either of their POP accounts is their separate Gmail clients respectively and can see in the logs that is the only thing logging in to each account (so that we can rule-out any filters in local email client software entirely). In the meantime I definitely welcome more feedback from anyone who has an idea to throw at this. Thanks very much! 0 -
Hello :) Could you post an example of an entry in /var/log/exim_mainlog that reflects one of the test deliveries? EX: exigrep user@domain /var/log/exim_mainlog
Note the full output is not required, just the specific entry associated with the message ID of the test message. Thank you.0 -
Hi cPanelMichael, I sent a test message from support@examplehost.com (via my google account) to jill@example.com only. (Certain details changed for security). Then in Shell: exigrep jill@example.com /var/log/exim_mainlog 2016-02-15 17:18:17 1aVRTF-003xxx-Jc <= support@examplehost.com H=mail-lf0-f41.google.com [209.85.215.41]:36425 P=esmtpsa X=TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128 CV=no A=dovecot_plain:support@examplehost.com S=2691 id=CAORBR-hAvQ1LeVJP7gPbnd8Dr3tcAGzFXM47E08VULS4+xxxxxx@mail.gmail.com T="Test message to jill@example.com" for jill@example.com 2016-02-15 17:18:20 1aVRTF-003xxx-Jc => /dev/null R=central_filter T=**bypassed** 2016-02-15 17:18:20 1aVRTF-003xxx-Jc => /dev/null (jack@example.com) R=central_filter T=**bypassed** 2016-02-15 17:18:20 1aVRTF-003xxx-Jc => jack (jack@example.com) R=virtual_user T=virtual_userdelivery 2016-02-15 17:18:20 1aVRTF-003xxx-Jc Completed See, it filters in such a way that Jill does not receive it, but Jack does. 0 -
Are you using any custom filter rules for Exim, outside of the account? This document explains which files to edit when creating a filter, which can help you determine if any existing rules are configured: How to Customize the Exim System Filter File - cPanel Knowledge Base - cPanel Documentation Thank you. 0 -
So, was there any resolution to this? I have a similar problem... but the particular email account the problem is affecting today has no filters of it's own, and the emails being 'filtered' do not match any global filters for the domain. One in particular is a email from Delphi, which normally gets through, but now, it's being filtered. If this needs a new thread I'll be happy to move it. Event: filtered User: -remote- Domain: Sender: bounces+160477-81bb-joe=jimbob.com@email.mydelphi.com Sent Time: Apr 20, 2016 10:36:10 AM Sender Host: o1.email.mydelphi.com Sender IP: 50.31.38.120 Authentication: localdelivery Spam Score: 4.1 Recipient: joe@jimbob.com Delivery User: jim Delivery Domain: jimbob.com Delivered To: /dev/null Router: central_filter Transport: **bypassed** Out Time: Apr 20, 2016 10:36:10 AM ID: 1asuAc-00065A-Rx Delivery Host: localhost Delivery IP: 127.0.0.1 Size: 5.21 KB Result: Filtered 0 -
So, was there any resolution to this? I have a similar problem...
Note: I checked, the spam score on the incoming email was 4 - spamassassin was set to 5. I white listed the sending domain, email received on next attempt... with a score of -96 ;-) So, immediate problem solved, and off to read the "How to Customize..." article linked above, but still wondering what happened0 -
Sorry, I forgot to follow-up on the situation in my case... In my case, it looks like a bug with cPanel (with easy work-around fix), and here's why: Despite the fact that there are no individual Filters and no Global filters in Jack & Jill's cPanel, there was a filer sitting in /etc/vfilters/example.com (example.com being Jack & Jill's domain). And that filter was an old one that had been created in and then deleted from Jack & Jill's cPanel > Email Filters section many months ago. And so once we found the /etc/vfilters/example.com and deleted it, Jack & Jill lived happily ever after. As for me, I've discovered this type of scenario with a few other accounts - filters that had been created in and then removed from other user's cPanel accounts were still stuck present in /etc/vfilters/, but thanks to a great tech who works at cPanel I was able to fast-track removing them all (safely) in one shot right from the command line by doing this: 1. Copy all customer's filter files to a safe place like this: cp -rpv /etc/vfilters/* /root/saved.vfilters/
2. Empty all the filter files but leave ownership and position untouched so cPanel can still work with them in the future like this:for i in `find /etc/vfilters -type f`;do echo "" > $i;done
That was OK for me to do because almost none of my users had any important filters set up, and the few that did could easily just be put right back via their cPanel. But for someone who hosts users that have a ton of what they consider to be important filters, or just one stubborn stuck filter issue, then it would be best to edit the individual /etc/vfilters/example.com files to remove whatever shouldn't have been left in there when they deleted a filter via cPanel. Another place to check when it appears to be a filter issue is /home/$user/etc/filters, but in my case there were none. They were all in /etc/vfilters/ Still have no idea why cPanel would have left behind filters that were created and deleted from with cPanel itself, but at least (thanks to that awesome cPanel tech) I now know how to dispense with them quickly :)0 -
Still have no idea why cPanel would have left behind filters that were created and deleted from with cPanel itself, but at least (thanks to that awesome cPanel tech) I now know how to dispense with them quickly :)
I'm unable to reproduce this issue on a test server. Is this reproducible on your system with new filters, or it only related to filters created in the past? Thank you.0
Please sign in to leave a comment.
Comments
9 comments