email accepted despite no account

[keat63]

I use CSF mailscanner, and today I noticed a number of emails destined for a user who no longer exists.
There's no account for this user, and no forwarders that I can see.
There's no mailbox entry in the home/user/mail folder

If I send a test email, I recieve a bounce, so I'm struggling to figure out how the server appears to have accepted these.

Event:	failure
Sender User:	-remote-
Sender Domain:
From Address:	[email protected]
Sender:
Sent Time:	May 13, 2022, 10:03:10 AM
Sender Host:	orange6.newpages.com.my
Sender IP:	110.74.164.55
Authentication:	localdelivery
Recipient:	[email protected]
Delivered To:
Delivery User:
Delivery Domain:
Router:	virtual_user
Transport:	dovecot_virtual_delivery
Out Time:	May 13, 2022, 10:03:10 AM
ID:	1npRDH-0002HF-Fp
Delivery Host:
Delivery IP:
Size:	109.03 KB
Result:	LMTP error after RCPT TO:<faye: 550 5.1.1 <faye.> User doesn't exist: faye.

 

[keat63]

Received: from orange6.newpages.com.my ([110.74.164.55]:47429)
by xxxxxxxxxxxxxxxxxxxxxx with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
(Exim 4.95)
(envelope-from <[email protected]>)
id 1npRDH-0002HF-Fp
for [email protected];
Fri, 13 May 2022 10:03:55 +0100
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
d=mitsuho.com.my; s=default; h=Content-Type:MIME-Version:Subject:To:From:
Message-ID:Date:Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID:
Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:
List-Subscribe:List-Post:List-Owner:List-Archive;
bh=bUFI1I/b2HFmjlpJq+d9OuvtNVR4J6fupInuO2j2OfE=; b=JKzGe9z4cshKlvh3HX0VQf5huJ
TajCDD+3OEgo6Y7HapdRKuzRueaWVvnzgB+7gxbGVB3hALEm8nnNbwcrJla2tHvUi01LuJb4zigZd
OYso9pTOo5EIlZKvamMY4xvqm05t/E0fjmJ6U1k2YSOaMBjBsOakQzmIvFMuGHPwTRxfeRueRt/Zf
5BXXsk82X8Cg938dXtcVfvda40jsk6Qtz3j39XOZUg41IA+BUceu1tMNGJXjgMtA6HSx0psOTRs5F
GYaTVWNXD3gfi48Qgu5mZ9X+5oKG/Ptlf1j2l03lZ9cWAuHs1UTbdALWDugKmRvs7iBgUO0F8jbzH
AkTv0M8w==;
Received: from [36.71.115.234] (port=30412 helo=[127.0.0.1])
by orange8.newpages.com.my with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
(Exim 4.95)
(envelope-from <[email protected]>)
id 1npRCc-0006lC-4T
for [email protected];
Fri, 13 May 2022 17:03:10 +0800
Date: Fri, 13 May 2022 16:03:09 +0700
Message-ID: <[email protected]>
From: "xxxxx.org" <[email protected]>
To: "Faye Melia" <[email protected]>
Subject: RE: Faye Melia
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------------OJ7xhe1Fypk9ULg0pckQnNMS"
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - orange8.newpages.com.my
X-AntiAbuse: Original Domain - xxxxx.org.uk
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - mitsuho.com.my
X-Get-Message-Sender-Via: orange8.newpages.com.my: authenticated_id: [email protected]
X-Authenticated-Sender: orange8.newpages.com.my: [email protected]
X-Source:

 

[keat63]

Another one, and the email address googleplus has never existed, but the mail server accepted it.

Received: from mail.theresidence.com ([103.11.189.168]:37970 helo=goldveinsingapore.serveraddress.com)

by zzzzzzzzz with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

(Exim 4.95)

(envelope-from <[email protected]>)

id 1npRzp-0004R7-Jx

for [email protected];

Fri, 13 May 2022 10:54:06 +0100

DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;

d=theresidence.com; s=default; h=Content-Type:MIME-Version:Subject:To:From:

Message-ID:Date:Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID:

Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc

:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:

List-Subscribe:List-Post:List-Owner:List-Archive;

bh=8BQCJ2K5+UsQ4/li8T4LZrEf2l60wKQCMlhKxiZfkNk=; b=vcO455sTE1bAOa+rWtokydpWUb

eU6ub0b3HOHF7SshyM+DAQwv0uGL7CgJS3ixfjVZprsFDxar+/Qhw8K3Dst/Trwjjv/woFi5Wfxwr

nkob3v948hwAXoGyvvTkx7/b/mZjQnQV827dyg7Hjlid3QPqFVLaEN+7s3MYLXixuTro=;

Received: from mx-ll-180.183.108-110.dynamic.3bb.co.th ([180.183.108.110]:64016 helo=[127.0.0.1])

by goldveinsingapore.serveraddress.com with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

(Exim 4.94.2)

(envelope-from <[email protected]>)

id 1npRz8-0006Ew-2p

for [email protected]; Fri, 13 May 2022 17:53:22 +0800

Date: Fri, 13 May 2022 16:53:23 +0700

Message-ID: <[email protected]>

From: "xxxx.org" <[email protected]>

To: "" <[email protected]>

Subject: Fwd:

MIME-Version: 1.0

Content-Type: multipart/mixed; boundary="----------------EMRJyephZ4Tb4Wx69K8cBCkm"

X-AntiAbuse: This header was added to track abuse, please include it with any abuse report

X-AntiAbuse: Primary Hostname - goldveinsingapore.serveraddress.com

X-AntiAbuse: Original Domain - xxxx.org.uk

X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]

X-AntiAbuse: Sender Address Domain - theresidence.com

X-Get-Message-Sender-Via: goldveinsingapore.serveraddress.com: authenticated_id: [email protected]

X-Authenticated-Sender: goldveinsingapore.serveraddress.com: [email protected]

 

[cPanelWilliam]

Hey there!

You can configure how the server will handle mail sent to non-existent addresses within cPanel > Default Address. There is an option in this interface to discard these emails if that is your end goal. I would suggest ensuring that the cPanel accounts on your server have their default address configured to discard these emails (if that is your goal). We have some documentation on this feature I'll include below:

https://docs.cpanel.net/cpanel/email/default-address/

 

[keat63]

It is already configured thus.

If I look inside whm mail report manager, it would indicate as if these emails were not delivered.
But if I search inside MailScanner I can actually open the emails and see the attachments.

I'm half expecting that if exim rejected them, I should then be unable to open them in mailscanner.

 

[cPRex]

cPanel doesn't have any affiliation with Mailscanner, so I can't say exactly how that should behave.