Mail send FROM and TO certain emails (from our domain) also attach another recipient from gmail

StefanM · October 9, 2020, 10:30am

Hello everyone,
Our company has almost 1000 premium axigen accounts (axigen version 10.3.1.10).
Whenever someone sends an e-mail from and to certain (about 20-30) mailboxes another recipient is attached to that mail. IN our case its always servermailer001@gmail.com! example below:

This also happens whenever someone outside our domain sends a mail to those 20-30 mailboxes. pic below:
http://prntscr.com/uw245h
I made a rule in Acceptance&Routing to discard recipient whenever servermailer001@gmail is present but i still see it in queue…
Is there a way to block that mail adress completely without seeing it in queue?
Any help is appreciated.
Thanky you
Stefan Manov

bogdanmoldovan · October 12, 2020, 6:31am

If you have a valid support subscription, please open a support case directly to our Support Team:
See procedure here: https://www.axigen.com/support/contact/

florin.burada · October 12, 2020, 6:53am

Hello,

Can you share the Axigen log file that cover the time period when that message was sent ?

Regards,
Florin

StefanM · October 13, 2020, 6:10am

Hi and thanks for the reply.
Here is this morning queue: http://prntscr.com/uy7jzi
and here is part of the logs for that mail:
log 13-10-2020 axi.txt (4.0 KB)
There is no servermailer001@gmail in any logs on axigen whatsoever…
Any other rule i can make in axigen to remove servermailer or something else i can do to prevent this.
Thanks

StefanM · October 13, 2020, 6:12am

It expired a couple months ago.
Software maintenance expiry date: May 19, 2020

florin.burada · October 13, 2020, 9:34am

Hello,

The provided log is only for SMTP Receiving service can you add also the PROCESSING log records for this message. The PROCESSING session should have the “18E6D8” ID.

Regards,
Florin

StefanM · October 13, 2020, 9:51am

Wow you are right there is something happening in processing.
Heres the log:
processing 13-10-2020 axi.txt (16.1 KB)
Servermailer@gmail is appearing here.
What seems to be the issue?
Thanks for the help

florin.burada · October 13, 2020, 10:10am

According to the log file the “servermailer001@gmail.com” recipient is added by a redirect rule set at account level by emil.jovanovski@elem.com.mk:

2020-10-13 07:42:08 +0200 08 mail-be-sk PROCESSING:0018E6D8: Set recipient <emil.jovanovski@elem.com.mk> state to PROCESSING
2020-10-13 07:42:08 +0200 08 mail-be-sk PROCESSING:0018E6D8: Start filter wmFilter of type script filter from domain object <emil.jovanovski@elem.com.mk>
2020-10-13 07:42:08 +0200 08 mail-be-sk PROCESSING:0018E6D8: Redirect to <servermailer001@gmail.com> requested by <emil.jovanovski@elem.com.mk>
2020-10-13 07:42:08 +0200 08 mail-be-sk PROCESSING:0018E6D8: Keep requested for <emil.jovanovski@elem.com.mk>
2020-10-13 07:42:08 +0200 08 mail-be-sk PROCESSING:0018E6D8: Finished filtering mail object 18E6D8 with filter: wmFilter of type script filter from domain object <emil.jovanovski@elem.com.mk>

You may disable the rule from Webadmin -> Domains & Accounts -> Manage Accounts -> edit emil.jovanovski in elem.com.mk domain -> Message Filters -> User Filters.

Regards,
Florin

StefanM · October 13, 2020, 10:41am

That’s IT! you are right there was a custom rule in user filter for that account…
Thank you so much for the help.
Must’ve been somekind of malware or worm that got access to that account and added that rule…
Thank you again
Best Regards,
Stefan