Regression with 1.6.5 sending emails to you@domain.com?

Question

Regression with 1.6.5 sending emails to you@domain.com?

bellwood opened this issue 2 years ago · 6 comments

Since yesterday's release and upgrade to 1.6.5, email notifications are being sent to 'you@domain.com' instead of the address defined for email_address in conf.maldet

Apr 01 2023 03:25:24 host1 maldet(23601): {alert} sent digest alert to you@domain.com

Header bits for the outgoing email:

Date: Sat, 01 Apr 2023 03:25:24 +0000
To: [you@domain.com](mailto:you@domain.com)
Subject: maldet alert from [host1](redacted): monitor summary
User-Agent: Heirloom mailx 12.5 7/5/10
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Relavent config bits:

email_alert="1"
email_addr="cpanel@redacted.tld"
email_panel_user_alerts="0"
email_panel_from="you@example.com"
email_panel_replyto="you@example.com"
email_panel_alert_subj="maldet alert from redacted"

Answer 1 · 2023-04-02T14:43:43.000Z

@colindclare possibly regression in pr#409
@bellwood reviewing

Answer 2 · 2023-04-04T17:50:28.000Z

@bellwood Thanks for hanging on while we investigated. I'm unable to replicate that behavior using a fresh cPanel 110 install (guessed cPanel based on the email you provided, but please correct me if I'm wrong) on CentOS 7 using the following steps:

Install LMD 1.6.4 cleanly
Set email_alert="1" and email_addr to my email address
Update to LMD 1.6.5
Run scan on test malware

In all cases, the email was sent correctly to my email address. I also attempted to replicate a possible race condition where the scan occurred during the LMD update to 1.6.5 and pulled in "you@domain.com" as email_addr, but I was unable to do so.

Can you confirm if the issue is still occurring? If so, can you provide us with some information on your environment and any custom configurations to LMD you might have made?

Answer 3 · 2023-04-06T14:40:22.000Z

@colindclare since posting, out of all the servers in my cluster, only one has sent an email and it did go to the proper address.

Will perform the steps above on the host that had the issue and report back.

Thank you.

Answer 4 · 2023-04-10T18:01:55.000Z

@colindclare I am unable to reproduce at this time. Should it creep up again I will provide further details. Thank you.

Answer 5 · 2023-04-11T12:05:32.000Z

Sure enough it happened again overnight


A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

 you@domain.com

The following text was generated during the delivery attempt:

------ you@domain.com ------

recipient does not have an account.
Reporting-MTA: dns; bosmailscan02.eigbox.net

Action: failed
Final-Recipient: rfc822;you@domain.com
Status: 5.0.0
Return-path: <root@redacted.host>
Received: from [10.115.3.2] (helo=bosimpinc02)
    by bosmailscan02.eigbox.net with esmtp (Exim)
    id 1pm4Rv-0007zM-HB
    for you@domain.com; Mon, 10 Apr 2023 23:13:39 -0400
Received: from redacted.host ([redacted.ip])
    by bizsmtp with ESMTP
    id m4KaptMM3uyemm4KbpfyTt; Mon, 10 Apr 2023 23:06:05 -0400
X-EN-OrigIP: redacted.ip
X-EN-IMPSID: m4KaptMM3uyemm4KbpfyTt
Received: from root by redacted.host with local (Exim 4.96)
    (envelope-from <root@redacted.host>)
    id 1pm4Ru-0000Nz-0N
    for you@domain.com;
    Tue, 11 Apr 2023 03:13:38 +0000
Date: Tue, 11 Apr 2023 03:13:38 +0000
To: you@domain.com
Subject: maldet alert from redacted.host: monitor summary
User-Agent: Heirloom mailx 12.5 7/5/10
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <E1pm4Ru-0000Nz-0N@redacted.host>
From: root <root@redacted.host>
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - redacted.host
X-AntiAbuse: Original Domain - domain.com
X-AntiAbuse: Originator/Caller UID/GID - [0 0] / [47 12]
X-AntiAbuse: Sender Address Domain - redacted.host
X-Get-Message-Sender-Via: redacted.host: authenticated_id: root/primary_hostname/system user
X-Authenticated-Sender: redacted.host: root
X-Source: /usr/lib/systemd/systemd
X-Source-Args: /usr/lib/systemd/systemd --switched-root --system --deserialize 22 
X-Source-Dir: /usr/local/maldetect.bk1186/tmp/.lmdup.19070.1006/maldetect-1.6.5
X-From-Rewrite: unmodified, actual sender is the system user
X-CMAE-Envelope: MS4wfBcwGVsO1l7APf+ceVht1yxr8Uw8Z5+/r97QiqW64l1X6oixQ8+2njCFFVn7Zfa0rz18INUFW1Ah5o2YeKA+GscD5L7t2I1WM9YeBkFtv7p3oN6XUWVH
6hG5xbIy0gG8SolOx5Eh0DQ5kR6KkjikgDhdCwSKVw45Wre1G5w2Wht3
X-EN-Class: impinc

Answer 6 · 2023-04-18T12:44:11.000Z

@rfxn @colindclare this host is now behaving normally.

The clean install of 1.6.4 then upgrade to 1.6.5 did not resolve it. Upon removing the upgraded 1.6.5 install and doing a clean install of 1.6.5 the issue has not presented itself and I am receiving notifications as expected.

Thank you.