The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

EXIM emails coming from system-filter@

Discussion in 'E-mail Discussions' started by PHILLIP BOOTH, Dec 6, 2015.

  1. PHILLIP BOOTH

    PHILLIP BOOTH Member

    Joined:
    Dec 6, 2015
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    UK
    cPanel Access Level:
    Root Administrator
    Hello everyone.

    I have a 2 week old WHM/Centos/Cpanel server.

    I have added a script to /etc/cpanel_exim_system_filter that forwards a copy of all outgoing emails on the server to an email account.

    What I have noticed is that some emails are being sent from system-filter@xxmyserverxx. Some of these are genuine emails including reply's, some is spam directed to an email account on the server and some is spam "from" an external domain to an external email account, which concerns me.

    By looking at the email header is seems that the says "X-From-Rewrite: rewritten was: [fretwork@example.com], actual sender is not the same system user"
    this is not an account holder on my server.

    The "reply-to" for this email actually reply's back to system-filter@xxmyserverxx

    What I would really like to know is what is

    1) what is system-filter@

    2) and how can I configure this to stop sending anything from this address,

    Google is a desert when searching for this.

    Hull Header is....

    Code:
    Return-path: <fretwork@example.com>
    Envelope-to: system-filter
    Delivery-date: Sat, 05 Dec 2015 10:20:28 +0000
    Received: from rgout0405.bt.lon5.domain.co.uk ([65.20.0.218]:44721)
      by xxmyserverxx with esmtp (Exim 4.86)
      (envelope-from <fretwork@example.com>)
      id 1a59x6-0002og-J0
      for xxAN EMAIL ACCOUNT ON MY SERVERxx; Sat, 05 Dec 2015 10:20:28 +0000
    X-OWM-Source-IP: 86.168.167.105 (GB)
    X-OWM-Env-Sender: [EMAIL]fretwork@example.com[/EMAIL]
    X-CTCH-RefID: str=0001.0A090201.5662BA34.009E,ss=1,re=0.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=512,sb=0
    X-Junkmail-Premium-Raw: score=29/50,refid=2.7.2:2015.12.5.91516:17:29.943,ip=86.168.167.105,rules=__USER_AGENT,
      __HAS_FROM, __PHISH_FROM2, __FRAUD_WEBMAIL_FROM, FROM_NAME_ALLCAPS,
      __TO_MALFORMED_2, __TO_NO_NAME, __HAS_MSGID, __SANE_MSGID, __MSGID_APPLEMAIL,
      __MIME_VERSION, __CT, __CTYPE_HAS_BOUNDARY, __CTYPE_MULTIPART,
      __CTYPE_MULTIPART_MIXED, __ANY_URI, __FRAUD_BODY_WEBMAIL, __URI_NO_WWW,
      __URI_NO_PATH, __FRAUD_CONTACT_NUM, __LINES_OF_YELLING, __HAS_HTML,
      HTML_NO_HTTP, BODY_SIZE_10000_PLUS, BODYTEXTP_SIZE_3000_LESS, __MIME_HTML,
      __TAG_EXISTS_HTML, __STYLE_RATWARE_NEG, RDNS_GENERIC_POOLED, __URI_NS,
      SXL_IP_DYNAMIC[105.167.168.86.fur], HTML_90_100, RDNS_SUSP_GENERIC,
      __PHISH_FROM, __PHISH_SPEAR_STRUCTURE_1, RDNS_SUSP, __FRAUD_WEBMAIL,
      NO_URI_HTTPS
    X-CTCH-Spam: Suspect
    Received: from [192.168.1.125] (86.168.167.105) by rgout04.bt.lon5.domain.co.uk (8.6.122.06) (authenticated as fretwork@example.com)
      id 566198C40016A304; Sat, 5 Dec 2015 10:18:48 +0000
    DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=example.com; s=btcpcloud; t=1449310785;
      bh=lAHtj7LMFcZtMynlCbf6OzCaw5kZKEWgH5716HEj24s=;
      h=Date:Subject:From:To:Message-ID:Mime-version;
      b=GCOUY9/KiQYY3nNZMydOsitBSs4F6V0ujGa+nGMONPrQt+dX1fmQ4o8T1hFIGiC+GpmfxiMmmXSD0YXMvKVcrbnV0KsvTblRg3L+FZVKMYtA+B8XFr2zxzSEU9qsk7OAkhRqeXiP3tsHofGz0vJhKJKb3v/x08l74fRssb8ngpo=
    User-Agent: Microsoft-MacOutlook/0.0.0.151105
    Date: Sat, 05 Dec 2015 10:19:30 +0000
    Subject: Newsletter 21
    From:  <system-filter@xxmyserverxx>
    To: "someuser@outlook.com" <texconsul@outlook.com>
    Message-ID: <FBAD0417-5CFD-4EBA-BCFB-C8FADE945E8C@example.com>
    Thread-Topic: Newsletter 21
    Mime-version: 1.0
    Content-type: multipart/mixed;
      boundary="B_3532155571_2085669671"
    X-From-Rewrite: rewritten was: [fretwork@example.com], actual sender is not the same system user
    
    
    
    Thanks for your help
     
    #1 PHILLIP BOOTH, Dec 6, 2015
    Last edited by a moderator: Dec 7, 2015
  2. PHILLIP BOOTH

    PHILLIP BOOTH Member

    Joined:
    Dec 6, 2015
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    UK
    cPanel Access Level:
    Root Administrator
    Update.

    I can confirm that emails are headed from system-filter@xxmyserverxx when the are the account on the server is CC or BCC in the email with the following setting

    Service Configuration > Exim Configuration Manager > Filters > System Filter File = /etc/cpanel_exim_system_filter default

    Can anyone please tell me if this is a bug as I really do not think this should not be happening?
     
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    654
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Could you search for one of the offending messages in /var/log/exim_mainlog with a command such as:

    Code:
    exigrep user@domain /var/log/exim_mainlog*
    Let us know the details of a specific message from the output.

    Thank you.
     
  4. Novi Singers

    Novi Singers Member

    Joined:
    Dec 20, 2015
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Poland
    cPanel Access Level:
    Root Administrator
    Check if you have "EXPERIMENTAL: Rewrite From: header to match actual sender" enabled in Exim configuration manager. If yes, try to disable it and check if it solved the problem. If yes, I can provide more information what to do next.
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    654
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Could you verify if the issue occurs in cPanel version 54? You can modify your update settings to use the "Current" build tier per the instructions at:

    Update Preferences - Documentation - cPanel Documentation

    It's possible the issue is addressed with internal case CPANEL-2856.

    Thank you.
     
Loading...

Share This Page