The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

One user receives, one doesn't. Same domain, same client.

Discussion in 'E-mail Discussions' started by Metro2, Feb 12, 2016.

  1. Metro2

    Metro2 Well-Known Member

    Joined:
    May 24, 2006
    Messages:
    376
    Likes Received:
    10
    Trophy Points:
    18
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    I have one serious mystery on my hands, a puzzle that might make some people's (like me) heads explode. If anyone is patient enough to read this I'm grateful. I think I may have discovered possibly the strangest email bug ever encountered. Maybe you can help solve it?

    I apologize in advance for any silly analogies or anecdotes that I must use to convey this mystery.

    This is actually husband and wife team who run a small business via their web site that they host with me, and this is really happening with them right now. I'll call them "Jack" and "Jill" and call their domain "example.com". They have a friend whom I'll call jillsfriend@msn.com because Jill's friend is a relevant clue in the puzzle.

    Jack and Jill run example.com and their POP email addresses are jack@example.com and jill@example.com

    Here's what happens:

    If I send an email to jack@example.com - Jack receives the email.

    If I send an email to jill@example.com - Jill does not receive it, but Jack does and he's not supposed to.

    In fact - EVERY email sent to Jill , Jack receives, but Jill does not.

    WITH ONE EXCEPTION - if jillsfriend@msn.com sends an email to Jill, Jill receives it and Jack does not. (This will be the only situation in which things work correctly - JillsFriend can send email to Jill and it goes right to Jill instead of Jack, just like it's supposed to).

    If ANYONE OTHER than JillsFriend sends an email to Jill she never receives it. (But jack@example.com does).

    Now I'm sure your first thought is the same as mine - must be a filter set somewhere. Right? But no, there isn't.

    There are absolutely no filters at all in Jack & Jill's cPanel. Nothing in Global Email Filters. Nothing in Email Filters. No filters in their mail clients.

    There is absolutely no reason that Jack should be receiving emails sent to Jill

    But wait - the plot thickens...

    When I log in to Jack & Jill's cPanel and click "Track Delivery" and put jill@example.com in the "Recipient Email" field, and select "Show Successes" , I can see the following happen...

    I send an email to Jill ONLY, but it goes to BOTH Jill AND Jack (and Jack receives it, but Jill does not!).

    - In the "Event" column there is a Yellow filter icon next to EVERY message to Jill which when moused-over says "This message was discarded by an email filter or spam detection software". (EXCEPT for messages from JillsFriend.. those have a Green icon of success).

    - In the "Event" column there is a Green successful icon next to those same EXACT messages for Jack (and Jack should not even be receiving the messages because they were sent only to Jill's email address).

    - Every message from anyone (except JillsFriend) sent to Jill goes to both Jill AND Jack (even though it's not supposed to) at the EXACT same time-stamp, right down to the second. But jill@example.com shows the Yellow icon and she never receives it, while jack@example.com shows the Green icon and he receives it.

    - I sent a message ONLY to Jill and the time-stamp shows exactly Feb 12, 2016 4:57:16 PM , and shows "Filtered" in the "Result" column. (screenshot attached)

    - That same exact message also went to Jack (even though I didn't send it to him) and the time-stamp shows exactly Feb 12, 2016 4:57:16 PM , and shows "Accepted" in the "Result" column. (screenshot attached)

    This can be repeated over and over, from any address except for JillsFriend.

    Did I mention that there are absolutely NO Filters set in their cPanel?

    This has been running me in circles for hours trying anything I can to figure out why every message (except for ones from JillsFriend) sent to Jill is also sent to Jack, but Jill never receives them and Jack does.

    They do not share email accounts.

    They do not have any filters set in cPanel nor in their email client.

    There is no apparent reason why Jill's messages are all also sent to Jack.

    There is no apparent reason why Jill does not receive the messages (Yellow icon) and Jack does receive them (Green icon).

    The only thing I can come up with in my imagination is that at some point during the 7 years that Jack & Jill have been hosting example.com with me, maybe one of them created a poorly crafted filter and then deleted it from cPanel, but somehow the server / cPanel hung onto it. I know that's a stretch, but I've got nothing else. (And they don't recall ever creating a filter).

    So I come to you, wise ladies and gentlemen of the cPanel forum, to pose this question before my head explodes - what the hell am I missing? :confused:

    Much thanks for any ideas before I swallow my pride and submit a support ticket to cPanel. :(

    same_message_3_example.jpg
     
    #1 Metro2, Feb 12, 2016
    Last edited by a moderator: Feb 12, 2016
  2. linux4me2

    linux4me2 Well-Known Member

    Joined:
    Aug 21, 2015
    Messages:
    79
    Likes Received:
    13
    Trophy Points:
    8
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    What a great story!

    It sounds like there may be more than one problem. First, you have the problem of all of jill's email going to jack. You didn't mention forwarders, but is there by any chance a forwarder set up for all of jill's mail to be sent to jack, or to another forwarder that goes to jack? it seems like you would have caught that when you traced the email, but I have to ask. The second problem is that none of jill's email, except from jillsfriend, gets through. For that, I'd try temporarily disabling SpamAssassin and re-testing.
     
  3. Metro2

    Metro2 Well-Known Member

    Joined:
    May 24, 2006
    Messages:
    376
    Likes Received:
    10
    Trophy Points:
    18
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    Thank you for the reply!

    I forgot to mention that indeed the first thing I looked for was a Forwarder, and neither Jack nor Jill have any Forwarders set to each other.

    In regard to SpamAssassin, that's for the most part disabled as I run ConfigServer's Mailscanner script. I've gone through all of the settings in Mailscanner to confirm that there isn't anything there that would cause Jill's email to be filtered and forwarded to Jack.

    However, I will certainly take your advice and perform a real-time test with Jack & Jill together over the phone while I temporarily disable Mailscanner on their account and watch what happens in real-time. I hope to be able to get on the phone with Jack tomorrow to run this test.

    So far we've gone to the lengths of deleting / re-creating Jill's email account in cPanel, and removing all accounts from standard email clients and setting them up as POP accounts within Jack & Jill's respective Gmail accounts. This way we know that the only thing logging into or out of either of their POP accounts is their separate Gmail clients respectively and can see in the logs that is the only thing logging in to each account (so that we can rule-out any filters in local email client software entirely).

    In the meantime I definitely welcome more feedback from anyone who has an idea to throw at this.

    Thanks very much!
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    653
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Could you post an example of an entry in /var/log/exim_mainlog that reflects one of the test deliveries? EX:

    Code:
    exigrep user@domain /var/log/exim_mainlog
    Note the full output is not required, just the specific entry associated with the message ID of the test message.

    Thank you.
     
  5. Metro2

    Metro2 Well-Known Member

    Joined:
    May 24, 2006
    Messages:
    376
    Likes Received:
    10
    Trophy Points:
    18
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    Hi cPanelMichael,

    I sent a test message from support@examplehost.com (via my google account) to jill@example.com only. (Certain details changed for security).

    Then in Shell:

    exigrep jill@example.com /var/log/exim_mainlog

    2016-02-15 17:18:17 1aVRTF-003xxx-Jc <= support@examplehost.com H=mail-lf0-f41.google.com [209.85.215.41]:36425 P=esmtpsa X=TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128 CV=no A=dovecot_plain:support@examplehost.com S=2691 id=CAORBR-hAvQ1LeVJP7gPbnd8Dr3tcAGzFXM47E08VULS4+xxxxxx@mail.gmail.com T="Test message to jill@example.com" for jill@example.com
    2016-02-15 17:18:20 1aVRTF-003xxx-Jc => /dev/null <jill@example.com> R=central_filter T=**bypassed**
    2016-02-15 17:18:20 1aVRTF-003xxx-Jc => /dev/null (jack@example.com) <jill@example.com> R=central_filter T=**bypassed**
    2016-02-15 17:18:20 1aVRTF-003xxx-Jc => jack (jack@example.com) <jill@example.com> R=virtual_user T=virtual_userdelivery
    2016-02-15 17:18:20 1aVRTF-003xxx-Jc Completed

    See, it filters in such a way that Jill does not receive it, but Jack does.
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    653
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  7. Core

    Core Member

    Joined:
    Jan 17, 2004
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    So, was there any resolution to this?
    I have a similar problem... but the particular email account the problem is affecting today has no filters of it's own, and the emails being 'filtered' do not match any global filters for the domain.
    One in particular is a email from Delphi, which normally gets through, but now, it's being filtered.

    If this needs a new thread I'll be happy to move it.

    Event: filtered
    User: -remote-
    Domain:
    Sender: bounces+160477-81bb-joe=jimbob.com@email.mydelphi.com
    Sent Time: Apr 20, 2016 10:36:10 AM
    Sender Host: o1.email.mydelphi.com
    Sender IP: 50.31.38.120
    Authentication: localdelivery
    Spam Score: 4.1
    Recipient: joe@jimbob.com
    Delivery User: jim
    Delivery Domain: jimbob.com
    Delivered To: /dev/null
    Router: central_filter
    Transport: **bypassed**
    Out Time: Apr 20, 2016 10:36:10 AM
    ID: 1asuAc-00065A-Rx
    Delivery Host: localhost
    Delivery IP: 127.0.0.1
    Size: 5.21 KB
    Result: Filtered
     
    #7 Core, Apr 20, 2016
    Last edited by a moderator: Apr 20, 2016
  8. Core

    Core Member

    Joined:
    Jan 17, 2004
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    Note: I checked, the spam score on the incoming email was 4 - spamassassin was set to 5.
    I white listed the sending domain, email received on next attempt... with a score of -96 ;-)

    So, immediate problem solved, and off to read the "How to Customize..." article linked above, but still wondering what happened
     
  9. Metro2

    Metro2 Well-Known Member

    Joined:
    May 24, 2006
    Messages:
    376
    Likes Received:
    10
    Trophy Points:
    18
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    Sorry, I forgot to follow-up on the situation in my case...

    In my case, it looks like a bug with cPanel (with easy work-around fix), and here's why:

    Despite the fact that there are no individual Filters and no Global filters in Jack & Jill's cPanel, there was a filer sitting in /etc/vfilters/example.com

    (example.com being Jack & Jill's domain).

    And that filter was an old one that had been created in and then deleted from Jack & Jill's cPanel > Email Filters section many months ago.

    And so once we found the /etc/vfilters/example.com and deleted it, Jack & Jill lived happily ever after.

    As for me, I've discovered this type of scenario with a few other accounts - filters that had been created in and then removed from other user's cPanel accounts were still stuck present in /etc/vfilters/ , but thanks to a great tech who works at cPanel I was able to fast-track removing them all (safely) in one shot right from the command line by doing this:

    1. Copy all customer's filter files to a safe place like this:

    Code:
    cp -rpv /etc/vfilters/* /root/saved.vfilters/  
    2. Empty all the filter files but leave ownership and position untouched so cPanel can still work with them in the future like this:

    Code:
    for i in `find /etc/vfilters -type f`;do echo "" > $i;done
    That was OK for me to do because almost none of my users had any important filters set up, and the few that did could easily just be put right back via their cPanel.

    But for someone who hosts users that have a ton of what they consider to be important filters, or just one stubborn stuck filter issue, then it would be best to edit the individual /etc/vfilters/example.com files to remove whatever shouldn't have been left in there when they deleted a filter via cPanel.

    Another place to check when it appears to be a filter issue is /home/$user/etc/filters , but in my case there were none. They were all in /etc/vfilters/

    Still have no idea why cPanel would have left behind filters that were created and deleted from with cPanel itself, but at least (thanks to that awesome cPanel tech) I now know how to dispense with them quickly :)
     
  10. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    653
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    I'm unable to reproduce this issue on a test server. Is this reproducible on your system with new filters, or it only related to filters created in the past?

    Thank you.
     
Loading...

Share This Page