Sender is marked as from on one domain

Aubrey Smith

Member
Jan 26, 2017
5
0
1
Australia
cPanel Access Level
Root Administrator
This is a very strange thing that is happening and I have no idea why!

I have about 60 cpanel accounts on my whm and have 1 client that is appearing in the 'from' portion of the email header from 1 particular domain that is not on my server. This doesnt happen all the time only occasionally, the rest of the time it appears as it should

I have tried taking the account off the server durning which it is fine but then add it back and it starts up again. Can anyone shed light on why this may be happening?
 

Aubrey Smith

Member
Jan 26, 2017
5
0
1
Australia
cPanel Access Level
Root Administrator
Hi, Sorry for the long wait, i didn't receive a notification. Below is the header information of the email that came into my server. I have bolded the email of email on my server ([email protected]) that this is happening to. This person has no connection to the email conversation and only happens when emails from example.net to anyone on my server. But does not happen every time.

Very perplexing indeed!
Code:
Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: from poppy.domain.com
by poppy.domain.com with LMTP id iOzeENiFPFvPRwAAhLtWiA
for <[email protected]>; Wed, 04 Jul 2018 16:31:20 +0800
Return-path: <[email protected]>
Envelope-to: [email protected]
Delivery-date: Wed, 04 Jul 2018 16:31:20 +0800
Received: from [103.204.117.14] (port=31988 helo=emailserver.example.net)
by poppy.domain.com with esmtps (TLSv1.2:ECDHE-RSA-AES128-SHA256:128)
(Exim 4.91)
(envelope-from <[email protected]>)
id 1fadC4-0004mQ-1j
for [email protected]; Wed, 04 Jul 2018 16:31:20 +0800
Received: from COBEX01.example.net (10.1.2.7) by
COBEX01.example.net (10.1.2.7) with Microsoft SMTP Server
(version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id
15.1.1466.3; Wed, 4 Jul 2018 16:31:17 +0800
Received: from COBEX01.example.net ([fe80::8d73:cae:e308:602f]) by
COBEX01.example.net ([fe80::8d73:cae:e308:602f%12]) with mapi id
15.01.1466.003; Wed, 4 Jul 2018 16:31:17 +0800
From: Someusr Name <[email protected]>
To: 'Someotherusr Name' <[email protected]>
Subject: RE: Some Subject Here
Thread-Topic: Some Subject Here
Thread-Index: AQHUE28OnQmBtl4l2kS8grPj5viLU6R+u9Cg
Date: Wed, 4 Jul 2018 08:31:17 +0000
Message-ID: <[email protected]>
References: <[email protected]>
In-Reply-To: <[email protected]>
Accept-Language: en-AU, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.1.102.142]
x-tm-as-product-ver: SMEX-12.5.0.1300-8.2.1013-23946.000
x-tm-as-result: No-15.619400-8.000000-10
x-tmase-matchedrid: oQHFeo+4SgNeWaE+5oz2vXQ8D+SLaQjsueok1chxwqvJ3jhK5xvrvZdq
9LYE92AUag/ZDTxTPRjDa1qWPNOExuBgp+G3IXxr8cWgFw6wp7M9n3n8h2QE9KUjwzkSTDLjAWT
rDhhyqaFI5aNiVPKgsZhyXgGCpXKTwx0jRRxcQfOPaLJ/Ca3ST2ji04EzOjY4UeZg5Ufab19OK+
rVow/DPjWBtSWZ+bE6Ij0zFI5DoJItUSMDHceMrqTsE8Z/jrr+QhAdOBPjXjQ9fB2/hA9PoBDL1
tPQClCD9+5g8PSr1B5cunHFpy8xP3JZsqnL5DRjQ8vqmp6AVLr2V9zvEPNG6ASjeILmO9GTq2Ej
9GqE5JdixVN0DQlEhJmug812qIbzojQrbrPpzzobVUVEY6U/rzdl3q8F7f2xlSmjoztwzUb2mhG
QByUXXmHIw6FQ9nued5uaCCASMwtDg5C+xRTuyjMN4xFZ0k1M972+TNtC35QJawX7HZeN/mZfBY
YpSxmYlwt7DABrvp+dVNZaI2n6/xK4mC5U2E9zOOdocdvKxxVj+u4uef6NXJHFc+/H6SJ7sq75W
6izw21s1yhxEU7UTT/cZn50ezHq8Fv0qmY9/pjtJMwDF2WngdskPjOjYTfV6GThYLBaMkb0+aot
8KA1pxlkYp2uIMJ1Fbs4KScjom4chXTZ3Wukbw==
x-tm-as-user-approved-sender: No
x-tm-as-user-blocked-sender: No
x-tmase-result: 10--15.619400-8.000000
x-tmase-version: SMEX-12.5.0.1300-8.2.1013-23946.000
Content-Type: multipart/related;
boundary="_007_e33a05966b34410588f95ae620d49b8ebunburywagovau_";
type="multipart/alternative"
MIME-Version: 1.0
X-From-Rewrite: rewritten was: [[email protected]], actual sender does not match
 
Last edited by a moderator:

cPanelLauren

Product Owner II
Staff member
Nov 14, 2017
13,272
1,296
363
Houston
Hi @Aubrey Smith


The issue you're referencing is:

From: Someusr Name <[email protected]>
Correct?

Can you clarify a couple of things for me:

1. Can you provide the output of the following:

Code:
cat /etc/exim.conf.local
Code:
cat /etc/vfilters/example.com
2. Do you have any external services for mail configured?
 

Aubrey Smith

Member
Jan 26, 2017
5
0
1
Australia
cPanel Access Level
Root Administrator
Correct, its the "From" that is being filled by the user that it shouldn't.

The results for

1.

Code:
cat /etc/exim.conf.local
Code:
@[email protected]

@[email protected]

@[email protected]
chunking_advertise_hosts=""
daemon_smtp_ports = 25 : 587 : 465
smtp_banner = "${smtp_active_hostname} ESMTP Exim ${version_number}  \#${compile_number} ${tod_full} \n   We do not authorize the use of this system to transport unsolicited, \n   and/or bulk e-mail."
smtp_active_hostname = ${lookup{$interface_address}lsearch{/etc/mail_reverse_dns}{$value}{$primary_hostname}}
message_id_header_domain = $smtp_active_hostname

@[email protected]

@[email protected]

@[email protected]

@[email protected]

@[email protected]

@[email protected]

@[email protected]

@[email protected]

@[email protected]

@[email protected]

@[email protected]

@[email protected]

@[email protected]

@[email protected]

@[email protected]

@[email protected]

@[email protected]

@[email protected]

@[email protected]

@[email protected]

@[email protected]

@[email protected]
And there were no results for

Code:
cat /etc/vfilters/example.com
2. Some of the Cpanel accounts have external email routing but besides that there is no other email services I have installed on this server.
 

cPanelLauren

Product Owner II
Staff member
Nov 14, 2017
13,272
1,296
363
Houston
HI @Aubrey Smith

I don't feel like any of that could lead to the behavior you're seeing. Can you please open a ticket using the link in my signature? Once open please reply with the Ticket ID here so that we can update this thread with the resolution once the ticket is resolved.


Thanks!