Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
- Customer's query:
- As for email forwarder - kstan@hextar.com <mailto:kstan@hextar.com> either me nor Kenny didn’t create it as no one have the cpanel username & password. Only me and Kenny have it. If Kenny create any of the forwarder, he will inform me. Our cpanel password is secure with us as we don’t give it to anyone of them. Therefore kstan@hextar.com <mailto:kstan@hextar.com> forwarder is legit.
- By the way, kstan@hextar.com <mailto:kstan@hextar.com> does not have email account how this email can be send out by itself?
- This not the first time happens. It happen few times already till very boss very frustrated. I still think the new VPS is having problem. Maybe you take a look into the new VPS.
- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
- Our Engineer's Answer;
- Dear Joyce,
- An email forwarder doesn't need an account. It just an alias email address that will auto forward any emails destined to kstan@hextar.com to another valid email address. In this case would be:
- kstan@hextar.com >forward to> kenny.tan@hextar.com
- kenny.tan@hextar.com must a valid email account.
- Following are the exim_maillog by locate the said email account
- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`
- # more /var/log/exim_mainlog | grep 1b0V1P-0004AZ-H7
- 2016-05-11 22:22:01 1b0V1P-0004AZ-H7 H=([89.36.179.178]) [89.36.179.178]:21685 Warning: "SpamAssassin as hextarc detected message as NOT spam (2.4)"
- 2016-05-11 22:22:01 1b0V1P-0004AZ-H7 <= kstan@hextar.com H=([89.36.179.178]) [89.36.179.178]:21685 P=esmtp S=7205 id=2c0b9a8ebd09$27b6aee06bb4069eb$@hextar.com T="Emailing: Photo 05-11-2016, 77 11 75" for kstan@hextar.com
- 2016-05-11 22:22:01 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1b0V1P-0004AZ-H7
- 2016-05-11 22:22:01 1b0V1P-0004AZ-H7 => kenny.tan (kstan@hextar.com) <kstan@hextar.com> R=virtual_user T=virtual_userdelivery
- 2016-05-11 22:22:01 1b0V1P-0004AZ-H7 Completed
- #
- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- From this logs, it show the email was sent from 89.36.179.178 to kstan@hextar.com. As kstan@hextar.com is just an email forwarder, exim then will automatically forward the email to kenny.tan - denoted by this - kenny.tan (kstan@hextar.com)
- You should remove the forwarder kstan@hextar.com as soon as possible if you think this forwarder should NOT be there.
- Thank you.
- +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
- Customer's reply;
- upport,
- We are aware of the function of forwarder. The forwarder for kstan@hextar.com to kenny.tan@hextar.com is indeed created by me. What we need to find out is how can kstan@hextar.com SEND an email out WITHOUT having an account created in the Server. The email header below is what I capture for your investigation. Please provide your investigation report. If the server is having problem please rectify it ASAP!
- Return-path: < <mailto:kstan@hextar.com> kstan@hextar.com>
- Envelope-to: <mailto:kstan@hextar.com> kstan@hextar.com
- Delivery-date: Wed, 11 May 2016 22:22:01 +0800
- Received: from [89.36.179.178] (port=21685)
- by mail.hextar.com with esmtp (Exim 4.85)
- (envelope-from < <mailto:kstan@hextar.com> kstan@hextar.com>)
- id 1b0V1P-0004AZ-H7
- for <mailto:kstan@hextar.com> kstan@hextar.com; Wed, 11 May 2016 22:22:01 +0800
- From: < <mailto:kstan@hextar.com> kstan@hextar.com>
- To: < <mailto:kstan@hextar.com> kstan@hextar.com>
- Subject: Emailing: Photo 05-11-2016, 77 11 75
- Date: Wed, 11 May 2016 18:51:50 +0430
- Message-ID: < <mailto:2c0b9a8ebd09$27b6aee06bb4069eb$@hextar.com> 2c0b9a8ebd09$27b6aee06bb4069eb$@hextar.com>
- MIME-Version: 1.0
- Content-Type: multipart/mixed;
- boundary="----=_NextPart_000_6303_43F2C1BC.5939F1B4"
- X-Mailer: Microsoft Outlook 16.0
- Content-Language: en-gb
- X-Spam-Status: No, score=2.4
- X-Spam-Score: 24
- X-Spam-Bar: ++
- X-Ham-Report: Spam detection software, running on the system "mail.hextar.com",
- has NOT identified this incoming email as spam. The original
- message has been attached to this so you can view it or label
- similar future email. If you have any questions, see
- root\@localhost for details.
- Content preview: Your message is ready to be sent with the following file or
- link attachments: Photo 05-11-2016, 77 11 75 Note: To protect against computer
- viruses, e-mail programs may prevent sending or receiving certain types of
- file attachments. Check your e-mail security settings to determine how attachments
- are handled. [...]
- Content analysis details: (2.4 points, 5.0 required)
- pts rule name description
- ---- ---------------------- --------------------------------------------------
- 0.7 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail)
- -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
- [score: 0.0000]
- 0.8 RDNS_NONE Delivered to internal network by a host with no rDNS
- 2.8 DOS_OUTLOOK_TO_MX Delivered direct to MX with Outlook headers
- X-Spam-Flag: NO
- +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
- OUr Engineer's reply;
- Dear Kenny,
- Following is the snippet from the exim maillogs for the said email.
- # more /var/log/exim_mainlog | grep 1b0V1P-0004AZ-H7
- 2016-05-11 22:22:01 1b0V1P-0004AZ-H7 H=([89.36.179.178]) [89.36.179.178]:21685 Warning: "SpamAssassin as hextarc detected message as NOT spam (2.4)"
- 2016-05-11 22:22:01 1b0V1P-0004AZ-H7 <= kstan@hextar.com H=([89.36.179.178]) [89.36.179.178]:21685 P=esmtp S=7205 id=2c0b9a8ebd09$27b6aee06bb4069eb$@hextar.com T="Emailing: Photo 05-11-2016, 77 11 75" for kstan@hextar.com
- 2016-05-11 22:22:01 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1b0V1P-0004AZ-H7
- 2016-05-11 22:22:01 1b0V1P-0004AZ-H7 => kenny.tan (kstan@hextar.com) <kstan@hextar.com> R=virtual_user T=virtual_userdelivery
- 2016-05-11 22:22:01 1b0V1P-0004AZ-H7 Completed
- #
- Based on this logs, the email coming from ip address 89.36.179.178 with the subject "Emailing: Photo 05-11-2016, 77 11 75". 89.36.179.178 might be sender's ip address or some unknown server's ip address. 89.36.179.178 may have bounced back to sender as no email user kstan@hextar.com in it. However, the sender has forged the email account (kstan@hextar.com) in his Outlook the Return Path as kstan@hextar.com. All mail servers will bounced back the email to what been stated in the Return Path. So 89.36.179.178 has proceeded send the email to the correct mail server - mail.hextar.com. Since kstan@hextar.com is just a forwarder address to kenny.tan, so exim (mail server) proceed forward the email to kenny.tan@hextar.com instead. The logs shown above, correspond the mail header which you have provided.
- You may review the maillog at following path : /var/log/exim_mainlog
- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
- Our Customer's reply;
- I understand your mail but my question here is we need to find out how can kstan@hextar.com SEND an email out WITHOUT having an account created in the Server? Because what I received is the mail from kstan@Hextar.com to kstan@Hextar.com <mailto:kstan@Hextar.com> . We want to know how kstan@hextar.com <mailto:kstan@hextar.com> sending out the email?
- +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
