root emailing an account but can't figure out what or why.

keat63

Well-Known Member
Nov 20, 2014
1,963
267
113
cPanel Access Level
Root Administrator
I have all root emails from my server being sent to [email protected]

On the same server I have an email account which is used for sending automated customer invoices, lets call this [email protected]
This email has an auto responder saying words along the lines "This is an unmanned mailbox, please cal us"

About twice per day, i receive one of these auto responses in my[email protected], but for the life of me can't figure out why.

I can only assume that root is sending an email to [email protected], which in turn is replying.
The odd thing is, I've even created a [email protected] and it still does it.

Code:
Return-path: <[email protected]>
Envelope-to: [email protected]
Delivery-date: Wed, 25 Feb 2015 18:44:06 +0000
Received: from user-account by host.servername.com with local (Exim 4.84)
(envelope-from <[email protected]>)
id 1YQgwI-0007Kb-Jj
for [email protected]; Wed, 25 Feb 2015 18:44:06 +0000
To: Mail Delivery System <[email protected]>
X-Autorespond: Warning: message 1YQGZZ-0007aZ-K6 delayed 24 hours
MIME-Version: 1.0
X-Loop: Mail Delivery System <[email protected]>
Precedence: auto_reply
X-Precedence: auto_reply
From: "mail delivery system <[email protected]>" <[email protected]>
Content-type: text/plain; charset=utf-8
Subject: re: Warning: message 1YQGZZ-0007aZ-K6 delayed 24 hours
Message-Id: <E1YQgwI-0007Kb-J[email protected]>
Date: Wed, 25 Feb 2015 18:44:06 +0000
Your email has reached an automated, non monitored mailbox, and will go unread.
If you need to contact us, or would like to change the way we communicate with you, please call us on XXX XXX XXXXX


I searched the logs for 1YQGZZ-0007aZ-K6, and it's a deferred email (customer invoice) sent from [email protected].

And I can see that 1YQgwI-0007Kb-Jj is a message sent to root from [email protected], but why ?
 
Last edited:

postcd

Well-Known Member
Oct 22, 2010
721
21
68
Isnt your hosted php script set to send an email to non existing address? im just guessing, im noob.
 

keat63

Well-Known Member
Nov 20, 2014
1,963
267
113
cPanel Access Level
Root Administrator
It's not a PHP script, its an application running on a PC in the office.
Basically works just like an email client, which has a valid to and from address.
Its seems the auto.invoice address is replying to root, but i can't see root sending anything, so i'm confused why it's replying.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,880
2,268
463
Hello :)

What's the output when you search for "auto.invoice" in /var/log/exim_mainlog? EX:

Code:
exigrep auto.invoice /var/log/exim_mainlog
Thank you.
 

keat63

Well-Known Member
Nov 20, 2014
1,963
267
113
cPanel Access Level
Root Administrator
Unfortunately, auto.invoice is sending a very large number of legitimate emails, so the logs will be huge.
However, i found this around the time.
I believe this might be auto.invoice emailing root.

Code:
2015-02-25 18:44:06 cwd=/home/user-acc 3 args: /usr/sbin/sendmail [email][email protected][/email] -t

2015-02-25 18:44:06 1YQgwH-0007KR-VJ <= <> R=1YQGZZ-0007aZ-K6 U=mailnull P=local S=1133 T="Warning: message 1YQGZZ-0007aZ-K6 delayed 24 hours" for [email][email protected][/email]
2015-02-25 18:44:06 1YQgwH-0007KR-VJ => auto.invoice <[email protected]> R=virtual_user T=virtual_userdelivery
2015-02-25 18:44:06 1YQgwH-0007KR-VJ => |/usr/local/cpanel/bin/autorespond [email][email protected][/email] /home/user-acc/.autorespond ([email protected]) <[email protected]> R=virtual_aliases_nostar T=jailed_virtual_address_pipe
2015-02-25 18:44:06 1YQgwH-0007KR-VJ Completed

2015-02-25 18:44:06 1YQgwI-0007Kb-Jj <= [email][email protected][/email] U=user-acc P=local S=1016 T="re: Warning: message 1YQGZZ-0007aZ-K6 delayed 24 hours" for [email][email protected][/email]
2015-02-25 18:44:07 1YQgwI-0007Kb-Jj => server ([email protected], [email][email protected][/email]) <[email protected]> R=virtual_user T=virtual_userdelivery
2015-02-25 18:44:07 1YQgwI-0007Kb-Jj Completed


And here is the K6 going out.



Code:
2015-02-24 14:34:54 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1YQGZZ-0007aZ-K6

2015-02-25 18:44:05 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1YQGZZ-0007aZ-K6

2015-02-25 18:44:06 1YQgwH-0007KR-VJ <= <> R=1YQGZZ-0007aZ-K6 U=mailnull P=local S=1133 T="Warning: message 1YQGZZ-0007aZ-K6 delayed 24 hours" for [email][email protected][/email]
2015-02-25 18:44:06 1YQgwH-0007KR-VJ => auto.invoice <[email protected]> R=virtual_user T=virtual_userdelivery
2015-02-25 18:44:06 1YQgwH-0007KR-VJ => |/usr/local/cpanel/bin/autorespond [email][email protected][/email] /home/user-acc/.autorespond ([email protected]) <[email protected]> R=virtual_aliases_nostar T=jailed_virtual_address_pipe
2015-02-25 18:44:06 1YQgwH-0007KR-VJ Completed

2015-02-25 18:44:06 1YQgwI-0007Kb-Jj <= [email][email protected][/email] U=user-acc P=local S=1016 T="re: Warning: message 1YQGZZ-0007aZ-K6 delayed 24 hours" for [email][email protected][/email]
2015-02-25 18:44:07 1YQgwI-0007Kb-Jj => server ([email protected], [email][email protected][/email]) <[email protected]> R=virtual_user T=virtual_userdelivery
2015-02-25 18:44:07 1YQgwI-0007Kb-Jj Completed

+++ 1YQGZZ-0007aZ-K6 has not completed +++
2015-02-24 14:34:54 1YQGZZ-0007aZ-K6 H=host81-134-17-175.in-addr.btopenworld.com (PRINTMACHINEPC) [xx.xxx.xx.xxx]:55231 Warning: Message has been scanned: no virus or other harmful content was found
2015-02-24 14:34:54 1YQGZZ-0007aZ-K6 <= [email][email protected][/email] H=hostxx-xxx-xx-xxx.in-addr.btopenworld.com (PRINTMACHINEPC) [xx.xxx.xx.xxx]:55231 P=esmtpa A=dovecot_login:[email protected] S=225290 [email protected] for [email][email protected][/email]
2015-02-24 14:34:54 1YQGZZ-0007aZ-K6 SMTP connection outbound 1424788494 1YQGZZ-0007aZ-K6 mydomain.co.uk [email][email protected][/email]
2015-02-24 14:35:57 1YQGZZ-0007aZ-K6 customer.co.uk [69.172.201.208] Connection timed out
2015-02-24 14:35:57 1YQGZZ-0007aZ-K6 == [email][email protected][/email] R=dkim_lookuphost T=dkim_remote_smtp defer (110): Connection timed out
2015-02-24 15:00:02 1YQGZZ-0007aZ-K6 customer.co.uk [69.172.201.208] Connection timed out
2015-02-24 15:00:02 1YQGZZ-0007aZ-K6 == [email][email protected][/email] R=dkim_lookuphost T=dkim_remote_smtp defer (110): Connection timed out
2015-02-24 16:00:02 1YQGZZ-0007aZ-K6 customer.co.uk [69.172.201.208] Connection timed out
2015-02-24 16:00:02 1YQGZZ-0007aZ-K6 == [email][email protected][/email] R=dkim_lookuphost T=dkim_remote_smtp defer (110): Connection timed out
2015-02-24 17:00:02 1YQGZZ-0007aZ-K6 customer.co.uk [69.172.201.208] Connection timed out
2015-02-24 17:00:02 1YQGZZ-0007aZ-K6 == [email][email protected][/email] R=dkim_lookuphost T=dkim_remote_smtp defer (110): Connection timed out
2015-02-24 19:00:02 1YQGZZ-0007aZ-K6 customer.co.uk [69.172.201.208] Connection timed out
2015-02-24 19:00:02 1YQGZZ-0007aZ-K6 == [email][email protected][/email] R=dkim_lookuphost T=dkim_remote_smtp defer (110): Connection timed out
2015-02-24 21:00:02 1YQGZZ-0007aZ-K6 customer.co.uk [69.172.201.208] Connection timed out
2015-02-24 21:00:02 1YQGZZ-0007aZ-K6 == [email][email protected][/email] R=dkim_lookuphost T=dkim_remote_smtp defer (110): Connection timed out
2015-02-25 00:00:02 1YQGZZ-0007aZ-K6 customer.co.uk [69.172.201.208] Connection timed out
2015-02-25 00:00:02 1YQGZZ-0007aZ-K6 == [email][email protected][/email] R=dkim_lookuphost T=dkim_remote_smtp defer (110): Connection timed out
2015-02-25 04:00:02 1YQGZZ-0007aZ-K6 customer.co.uk [69.172.201.208] Connection timed out
2015-02-25 04:00:02 1YQGZZ-0007aZ-K6 == [email][email protected][/email] R=dkim_lookuphost T=dkim_remote_smtp defer (110): Connection timed out
2015-02-25 09:44:08 1YQGZZ-0007aZ-K6 customer.co.uk [69.172.201.208] Connection timed out
2015-02-25 09:44:08 1YQGZZ-0007aZ-K6 == [email][email protected][/email] R=dkim_lookuphost T=dkim_remote_smtp defer (110): Connection timed out
2015-02-25 18:44:05 1YQGZZ-0007aZ-K6 customer.co.uk [69.172.201.208] Connection timed out
2015-02-25 18:44:05 1YQGZZ-0007aZ-K6 == [email][email protected][/email] R=dkim_lookuphost T=dkim_remote_smtp defer (110): Connection timed out
2015-02-26 03:44:07 1YQGZZ-0007aZ-K6 customer.co.uk [69.172.201.208] Connection timed out
2015-02-26 03:44:07 1YQGZZ-0007aZ-K6 == [email][email protected][/email] R=dkim_lookuphost T=dkim_remote_smtp defer (110): Connection timed out
2015-02-26 12:44:07 1YQGZZ-0007aZ-K6 customer.co.uk [69.172.201.208] Connection timed out
2015-02-26 12:44:07 1YQGZZ-0007aZ-K6 == [email][email protected][/email] R=dkim_lookuphost T=dkim_remote_smtp defer (110): Connection timed out
 
Last edited by a moderator:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,880
2,268
463
Should the "auto.invoice@mydomain" email address receive any email? If not, then you could setup an email filter that fails with a specific bounce message (e.g. not a valid address, call number) instead of using an autoresponder.

Thank you.
 

keat63

Well-Known Member
Nov 20, 2014
1,963
267
113
cPanel Access Level
Root Administrator
Being a new application bolted to our antiquated invoicing system, there are a number of typo's and mis formed email addresses, so i sort of rely on the mailbox to capture any bounces.
The bounces give me more information as to who the customer was, so really need the it to be honest.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,880
2,268
463
About twice per day, i receive one of these auto responses in [email protected], but for the life of me can't figure out why.
You may just want to setup a filter to move these specific messages to another email folder for your review.

Thank you.
 

kdean

Well-Known Member
Oct 19, 2012
408
82
78
Orlando, FL
cPanel Access Level
Root Administrator
You originally asked why root was receiving an email and I don't think I've seen anyone explain. From the contents of your first post this what looks to be happening.

[email protected] is sending an email to an address that your mail server is having problems delivering to, causing a delay.

Your [email protected] is sending a "delayed 24 hours" email notification to [email protected] which in turns triggers it's auto-reply to respond to [email protected] which in turn delivers that response to root.

This is why root is receiving an email as far as I could see.

Seems that cPanel should add a feature so that mail accounts don't auto respond to local Mailer-Daemon emails.
 
Last edited: