WHM/cPanel root sending email that doesn't exist.

Bill Allman

Registered
Sep 30, 2015
2
0
1
Alaska
cPanel Access Level
Root Administrator
Hi, after viewing the mail delivery reports for exim I noticed this:
Sent: [email protected]
Recipient: [email protected].

Then it says the email is an Un-routable address and it's correct because the email address doesn't exist on my system. The [email protected] is normal with all the logs I get but the [email protected] is not. I have never entered or created such an email address on my server ever!!!! I have checked under cPanel Default Address Maintenance and [email protected] is in the field. Looked in WHM Edit System Mail and [email protected] is set for Root, Nobody and cPanel. I'm probably over looking something simple but any ideas on this matter would be great.

Note: mydomainname is not the actual domain name being used.

Thank you.
 

Jcats

Well-Known Member
PartnerNOC
May 25, 2011
806
156
168
New Jersey
cPanel Access Level
DataCenter Provider
Bill,

It sounds like you are looking at bounce backs that were originally sent from a PHP Script. Any emails sent out from the server using a PHP script with no SMTP authentication will be sent from [email protected] and if for some reason that email bounces, it will get sent back to that address that doesn't exist and sit in your mail queue.
 

Bill Allman

Registered
Sep 30, 2015
2
0
1
Alaska
cPanel Access Level
Root Administrator
Jcats, thank you for responding. I'll take a look at interspire and see what my wife has setup for feedback loops. We sent another email blast and it showed up again so it's connected some how. I don't know if this can help but take a look at this. I'm thinking about setting up the email so I can find out what's generating a local email.

Code:
[SIZE=3][B]Event[/B]: failure 
[B]Sender User[/B]: root 
[B]Sender Domain[/B]: 
[B]Sender[/B]: [email protected] 
[B]Sent Time[/B]: Oct 1, 2015 3:09:03 AM 
[B]Sender Host[/B]: localhost 
[B]Sender IP[/B]: 127.0.0.1 
[B]Authentication[/B]: localuser 
[B]Spam Score[/B]: 0 
[B]Recipient[/B]: [email protected] 
[B]Delivered To[/B]: 
[B]deliveryuser[/B]: 
[B]deliverydomain[/B]: 
[B]Router[/B]: 
[B]Transport[/B]: remote_smtp 
[B]Out Time[/B]: Oct 1, 2015 3:09:03 AM 
[B]ID[/B]: 1ZhbkG-0003Iu-88 
[B]Delivery Host[/B]: 
[B]Delivery IP[/B]: 
[B]Size[/B]: 20.1 KB [/SIZE]
[SIZE=4][SIZE=2][SIZE=3][B]Result[/B]: Unrouteable address[/SIZE][/SIZE][/SIZE]
 
Last edited by a moderator:

Jcats

Well-Known Member
PartnerNOC
May 25, 2011
806
156
168
New Jersey
cPanel Access Level
DataCenter Provider
Yeah that's not the actual email causing the problem, it would be the one just prior to that. Couple things you can do, you can:
Code:
grep -B20 1ZhbkG-0003Iu-88 /var/log/exim_mainlog |grep -Ev 1ZhbkG-0003Iu-88
This should should you the email sent just prior to mail delivery failed email from root was sent. Look for a line that contains 'cwd=' it should show the path to the PHP script.

You can also use:
Code:
# head -1 /var/log/exim_mainlog | awk '{print $1}' ; awk '$3 ~ /^cwd/{print $3}' /var/log/exim_mainlog | sort | uniq -c | sed "s|^ *||g" | sort -nr | head --lines 15 | egrep -v ' cwd=(/$|/etc/csf|/var/spool/exim)' ; tail -1 /var/log/exim_mainlog | awk '{print From $1}'
This will show you all the folders on the server that are sending out mail, it won't show the script specifically but it will show you the amount of times that folder appears in the mail logs.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,224
463
Hello :)

Yes, try searching for the message ID in /var/log/exim_mainlog to see if you can find out additional details, as mentioned in the previous post. I look forward to seeing the results.

Thank you.