Sender is marked as from on one domain

[Aubrey Smith]

This is a very strange thing that is happening and I have no idea why!

I have about 60 cpanel accounts on my whm and have 1 client that is appearing in the 'from' portion of the email header from 1 particular domain that is not on my server. This doesnt happen all the time only occasionally, the rest of the time it appears as it should

I have tried taking the account off the server durning which it is fine but then add it back and it starts up again. Can anyone shed light on why this may be happening?

 

[cPanelLauren]

Hi @Aubrey Smith

Would it be possible for you to show an example of this?


Thanks!

 

[Aubrey Smith]

Hi, Sorry for the long wait, i didn't receive a notification. Below is the header information of the email that came into my server. I have bolded the email of email on my server ([email protected]) that this is happening to. This person has no connection to the email conversation and only happens when emails from example.net to anyone on my server. But does not happen every time.

Very perplexing indeed!

Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: from poppy.domain.com
by poppy.domain.com with LMTP id iOzeENiFPFvPRwAAhLtWiA
for <[email protected]>; Wed, 04 Jul 2018 16:31:20 +0800
Return-path: <[email protected]>
Envelope-to: [email protected]
Delivery-date: Wed, 04 Jul 2018 16:31:20 +0800
Received: from [103.204.117.14] (port=31988 helo=emailserver.example.net)
by poppy.domain.com with esmtps (TLSv1.2:ECDHE-RSA-AES128-SHA256:128)
(Exim 4.91)
(envelope-from <[email protected]>)
id 1fadC4-0004mQ-1j
for [email protected]; Wed, 04 Jul 2018 16:31:20 +0800
Received: from COBEX01.example.net (10.1.2.7) by
COBEX01.example.net (10.1.2.7) with Microsoft SMTP Server
(version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id
15.1.1466.3; Wed, 4 Jul 2018 16:31:17 +0800
Received: from COBEX01.example.net ([fe80::8d73:cae:e308:602f]) by
COBEX01.example.net ([fe80::8d73:cae:e308:602f%12]) with mapi id
15.01.1466.003; Wed, 4 Jul 2018 16:31:17 +0800
From: Someusr Name <[email protected]>
To: 'Someotherusr Name' <[email protected]>
Subject: RE: Some Subject Here
Thread-Topic: Some Subject Here
Thread-Index: AQHUE28OnQmBtl4l2kS8grPj5viLU6R+u9Cg
Date: Wed, 4 Jul 2018 08:31:17 +0000
Message-ID: <[email protected]>
References: <[email protected]>
In-Reply-To: <[email protected]>
Accept-Language: en-AU, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.1.102.142]
x-tm-as-product-ver: SMEX-12.5.0.1300-8.2.1013-23946.000
x-tm-as-result: No-15.619400-8.000000-10
x-tmase-matchedrid: oQHFeo+4SgNeWaE+5oz2vXQ8D+SLaQjsueok1chxwqvJ3jhK5xvrvZdq
9LYE92AUag/ZDTxTPRjDa1qWPNOExuBgp+G3IXxr8cWgFw6wp7M9n3n8h2QE9KUjwzkSTDLjAWT
rDhhyqaFI5aNiVPKgsZhyXgGCpXKTwx0jRRxcQfOPaLJ/Ca3ST2ji04EzOjY4UeZg5Ufab19OK+
rVow/DPjWBtSWZ+bE6Ij0zFI5DoJItUSMDHceMrqTsE8Z/jrr+QhAdOBPjXjQ9fB2/hA9PoBDL1
tPQClCD9+5g8PSr1B5cunHFpy8xP3JZsqnL5DRjQ8vqmp6AVLr2V9zvEPNG6ASjeILmO9GTq2Ej
9GqE5JdixVN0DQlEhJmug812qIbzojQrbrPpzzobVUVEY6U/rzdl3q8F7f2xlSmjoztwzUb2mhG
QByUXXmHIw6FQ9nued5uaCCASMwtDg5C+xRTuyjMN4xFZ0k1M972+TNtC35QJawX7HZeN/mZfBY
YpSxmYlwt7DABrvp+dVNZaI2n6/xK4mC5U2E9zOOdocdvKxxVj+u4uef6NXJHFc+/H6SJ7sq75W
6izw21s1yhxEU7UTT/cZn50ezHq8Fv0qmY9/pjtJMwDF2WngdskPjOjYTfV6GThYLBaMkb0+aot
8KA1pxlkYp2uIMJ1Fbs4KScjom4chXTZ3Wukbw==
x-tm-as-user-approved-sender: No
x-tm-as-user-blocked-sender: No
x-tmase-result: 10--15.619400-8.000000
x-tmase-version: SMEX-12.5.0.1300-8.2.1013-23946.000
Content-Type: multipart/related;
boundary="_007_e33a05966b34410588f95ae620d49b8ebunburywagovau_";
type="multipart/alternative"
MIME-Version: 1.0
X-From-Rewrite: rewritten was: [[email protected]], actual sender does not match

 

[cPanelLauren]

Hi @Aubrey Smith


The issue you're referencing is:

From: Someusr Name <[email protected]>

Correct?

Can you clarify a couple of things for me:

1. Can you provide the output of the following:

cat /etc/exim.conf.local

cat /etc/vfilters/example.com

2. Do you have any external services for mail configured?

 

[Aubrey Smith]

Correct, its the "From" that is being filled by the user that it shouldn't.

The results for

1.

cat /etc/exim.conf.local

@[email protected]

@[email protected]

@[email protected]
chunking_advertise_hosts=""
daemon_smtp_ports = 25 : 587 : 465
smtp_banner = "${smtp_active_hostname} ESMTP Exim ${version_number}  \#${compile_number} ${tod_full} \n   We do not authorize the use of this system to transport unsolicited, \n   and/or bulk e-mail."
smtp_active_hostname = ${lookup{$interface_address}lsearch{/etc/mail_reverse_dns}{$value}{$primary_hostname}}
message_id_header_domain = $smtp_active_hostname

@[email protected]

@[email protected]

@[email protected]

@[email protected]

@[email protected]

@[email protected]

@[email protected]

@[email protected]

@[email protected]

@[email protected]

@[email protected]

@[email protected]

@[email protected]

@[email protected]

@[email protected]

@[email protected]

@[email protected]

@[email protected]

@[email protected]

@[email protected]

@[email protected]

@[email protected]

And there were no results for

cat /etc/vfilters/example.com

2. Some of the Cpanel accounts have external email routing but besides that there is no other email services I have installed on this server.

 

[cPanelLauren]

HI @Aubrey Smith

I don't feel like any of that could lead to the behavior you're seeing. Can you please open a ticket using the link in my signature? Once open please reply with the Ticket ID here so that we can update this thread with the resolution once the ticket is resolved.


Thanks!