Email for a specific domain gets fowarded withou configuration

arty

Registered
Feb 12, 2020
4
0
1
Greece
cPanel Access Level
Root Administrator
Hi,
i'm facing a really wierd issue.
email for a domain name(all accounts) is forwarded to another address and i can't figure out why.
On the accounts there are no forwarders, no autoresponders, no filters and delivery is set to local.
I have checked for correct mx records(i even check spf and dkim but they should be irrelevant for incoming mail)
no matter what evey email gets forwarded.

here's a the log from one of these messages:

***moderator edit***
<please repost the log output without actual domain names>



do you have any idea?
 
Last edited by a moderator:

arty

Registered
Feb 12, 2020
4
0
1
Greece
cPanel Access Level
Root Administrator
log:

2020-02-12 07:49:31 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1j1ktu-000G7Y-FL

2020-02-12 07:49:34 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1j1ktu-000G7Y-FL

2020-02-12 07:49:31 1j1ktu-000G7Y-FL H=somedomain.net[x.x.x.x]:41307 Warning: Message has been scanned: no virus or other harmful content was found
2020-02-12 07:49:31 1j1ktu-000G7Y-FL <= [email protected] H=mailer5.somedomain.net [x.x.x.x]:41307 P=esmtps X=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no S=76368 id=[email protected] T="Management Reporting" for [email protected]
2020-02-12 07:49:31 1j1ktu-000G7Y-FL SMTP connection identification D=somedomain.net O=[email protected] E=[email protected] M=1j1ktu-000G7Y-FL U=iakarmg ID=523 B=redirect_resolver
2020-02-12 07:49:31 1j1ktu-000G7Y-FL Sender identification U=iakarmg D=somedomain.net S=[email protected]
2020-02-12 07:49:31 1j1ktu-000G7Y-FL SMTP connection outbound 1581486571 1j1ktu-000G7Y-FL somedomain.net [email protected]
2020-02-12 07:49:31 1j1ktu-000G7Y-FL SMTP connection identification D=somedomain.net O=[email protected] E=[email protected] M=1j1ktu-000G7Y-FL U=iakarmg ID=523 B=redirect_resolver
2020-02-12 07:49:31 1j1ktu-000G7Y-FL Sender identification U=iakarmg D=somedomain.net S=[email protected]
2020-02-12 07:49:31 1j1ktu-000G7Y-FL SMTP connection outbound 1581486571 1j1ktu-000G7Y-FL iakarm.gr [email protected]
2020-02-12 07:49:31 1j1ktu-000G7Y-FL => info+inbox ("info+INBOX"@somedomain.net) <[email protected]> R=virtual_user T=dovecot_virtual_delivery C="250 2.0.0 <[email protected]> veE8JeuRQ16q8gAAzo1lcw Saved"
2020-02-12 07:49:34 1j1ktu-000G7Y-FL ** [email protected] ("info+INBOX"@somedomain.net) <[email protected]> R=dkim_lookuphost T=dkim_remote_smtp H=mxs.mail.ru [x.x.x.x] X=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=yes: SMTP error from remote mail server after end of data: 550 spam message rejected. Please visit Мои письма воспринимаются как спам or report details to [email protected]. Error code: 004FB197B3A51FB5654A0E4298B67FBF035059CE93EAF4D51418008EBE694A711B868DE3BAC0821BF393F5F9369A1AF8C8E6CEAE3BAA6E11. ID: 000000200000D8361A29C6DC.
2020-02-12 07:49:34 1j1ktu-000G7Y-FL Completed

2020-02-12 07:49:34 1j1kty-000GA5-6d <= <> R=1j1ktu-000G7Y-FL U=mailnull P=local S=78546 T="Mail delivery failed: returning message to sender" for [email protected]
2020-02-12 07:49:34 1j1kty-000GA5-6d Sender identification U=mailnull D=-system- S=mailnull
2020-02-12 07:49:34 1j1kty-000GA5-6d [193.92.125.132] SSL verify error: depth=0 error=unable to get local issuer certificate cert=/C=GR/ST=Attiki/L=Athens/O=Email Business/emailAddress=[email protected]/CN=somedomain.net
2020-02-12 07:49:34 1j1kty-000GA5-6d [193.92.125.132] SSL verify error: depth=0 error=unable to verify the first certificate cert=/C=GR/ST=Attiki/L=Athens/O=Email Business/emailAddress=[email protected]/CN=somedomain.net
2020-02-12 07:49:35 1j1kty-000GA5-6d => [email protected] R=dkim_lookuphost T=dkim_remote_smtp H=mailer3.e-seminars.net [193.92.125.132] X=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no C="250 2.0.0 Ok: queued as 89CDE414ED04"
2020-02-12 07:49:35 1j1kty-000GA5-6d Completed
 

arty

Registered
Feb 12, 2020
4
0
1
Greece
cPanel Access Level
Root Administrator
Hello,

That definitely indicates a forwarder specifically B=redirect_resolver

What's present in the following:

/etc/valiases/domain.tld
Thank you for your reply.
The file for the specific domain is empty, however i managed to find the problem by deleting the file ~/etc/domain/user which was forwarding the email to the new address.
probably the website under the specific user is compromised and needs to be updated.
thank you again for your time
 

keat63

Well-Known Member
Nov 20, 2014
1,916
263
113
cPanel Access Level
Root Administrator
Whilst I don't profess to understand what's happening here, and thankfully CpanelLauren is on the case, i'd be interested to learn:

Code:
2020-02-12 07:49:31 1j1ktu-000G7Y-FL SMTP connection identification D=somedomain.net [email protected] [email protected] M=1j1ktu-000G7Y-FL U=iakarmg ID=523 B=redirect_resolver

is [email protected], the same domain as [email protected]
 
  • Like
Reactions: cPanelLauren

arty

Registered
Feb 12, 2020
4
0
1
Greece
cPanel Access Level
Root Administrator

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,295
1,272
313
Houston
i managed to find the problem by deleting the file ~/etc/domain/user which was forwarding the email to the new address.
probably the website under the specific user is compromised and needs to be updated.
This would have been my next guess, though, the compromise you're referencing wouldn't be the only reason a file was here. What was the file called? User-level filters can also perform this behavior, though its logged as such in th exim mainlog. The file is /home/$user/domain.tld/user/filter