How we can find who is add forwarder email in cPanel

[Fadly]

Dear All,
Can help me to find, where is the log file if i want to know who is added address email as forwarder in cPanel.
one of my clients, the email address is added by the forwarder to a specific email address.
how to know when and via login who the intruder added the email forward.
Thank You

 

[cPRex]

Hey there! This type of activity would be stored in the main cPanel access log at /usr/local/cpanel/logs/access_log. Viewing the cPanel >> Forwarders page would cause this to show up in that log:

4.3.2.1 - username [05/18/2021:17:10:05 -0000] "GET /cpsess4473512384/frontend/paper_lantern/mail/fwds.html HTTP/1.1" 200 0 "https://1.2.3.4:2083/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:88.0) Gecko/20100101 Firefox/88.0" "s" "-" 2083

where the "4.3.2.1" IP is the user accessing the server.

Clicking the blue "Add Forwarder" button leaves a log for the "/cpsess4473512384/frontend/paper_lantern/mail/addfwd.html" page in that log file.

I hope that helps you track this down!

 

[Fadly]

Hi cPRex,
Thank You for your info.
i already see the log..
whats is different this log
1. x.x.x.x proxy userdomain1 [04/23/2021:02:04:27 with
2. x.x.x.x - userdomain2 [04/23/2021:04:16:10

#1 have PROXY and #2 don't have proxy.

can you explain for me.. Thank You


Fadly

 

[cPRex]

Sure thing! this indicates the system was accessed with a proxy subdomain, like cpanel.domain.dom. It's common to see that in the logs, and doesn't indicate an issue with the user or the server.