Resolved Unwanted redirects to gmail, when receiving emails

[arunda2]

Server operating system version

Debian 11

Plesk version and microupdate number

Plesk Obsidian v18.0.55_build1800230919.07

Hello
I have a problem with two email accounts created in my Plesk, in different domains

When anybody from outside writes to one of the addresses, the email is delivered successfully

But, the sender immediately receives a return email from our server with the next error ....

This is the mail system at host [---my server main domain---].

I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

The mail system

<[email protected]>: host
gmail-smtp-in.l.google.com[---xxx.xxx.xxx.xxx---] said: 550-5.7.1 [---MY SERVER IP---]
Our system has detected that this message is 550-5.7.1 likely
unsolicited mail. To reduce the amount of spam sent to Gmail, 550-5.7.1
this message has been blocked. Please visit 550-5.7.1
Why has Gmail blocked my messages? - Gmail Help 550 5.7.1 for
more information. n9-20020adfe789000000b0031adbb51df0si1839216wrm.359 -
gsmtp (in reply to end of DATA command)


Reporting-MTA: dns; [---my server main domain---]
X-Postfix-Queue-ID: 4F2C634801A0
X-Postfix-Sender: rfc822; [---the sender email---]
Arrival-Date: Tue, 26 Sep 2023 09:11:45 +0200 (CEST)

Final-Recipient: rfc822; [email protected]
Original-Recipient: rfc822;[email protected]
Action: failed
Status: 5.7.1
Remote-MTA: dns; gmail-smtp-in.l.google.com
Diagnostic-Code: smtp; 550-5.7.1 [---my.server.IP--- 12] Our system has
detected that this message is 550-5.7.1 likely unsolicited mail. To reduce
the amount of spam sent to Gmail, 550-5.7.1 this message has been blocked.
Please visit 550-5.7.1
Why has Gmail blocked my messages? - Gmail Help 550 5.7.1 for
more information. n9-20020adfe789000000b0031adbb51df0si1839216wrm.359 -
gsmtp

The owners of the two affected email accounts have checked antivirus and antimalware in their computers and everything seems to be clean.
It has been tested while using Outlook, or while using webmail, regardless. Or even with computers off.
I have checked the Plesk panel, the account settings. No redirect has been created for these emails
The address [email protected] has nothing to do with us, with our users, or with the regular senders of the emails.
Throughout this time, this gmail address has been changing periodically. (XXXX to hide part of the address)

My main question is: Why is the sender the one who receives the error messages from my server? Can we rule out viruses or malware on the recipient's computer, since the response is obtained immediately from my server?

What other checks should I do on my Plesk to find the source of these unwanted redirects to Gmail?

Thanks

 

[Peter Debik]

Maybe no redirect, but an autoresponder? What do you see in your /var/log/maillog when the mail comes in and a response is sent out?

 

[arunda2]

Hi. Thanks for your answer. I have double-checked there is not autoresponders active for these emails

I have sent a message to one of the affected emails, and get the error message back. This time with [email protected]
Checked the Plesk logs...

2023-10-11 12:36:54 info
postfix/smtp [1500604]
AA8D7348066B: to=<[email protected]>, relay=gmail-smtp-in.l.google.com[2a00:1450:400c:c0a::1a]:25, delay=0.54, delays=0.02/0/0.14/0.38, dsn=5.7.1, status=bounced (host gmail-smtp-in.l.google.com[2a00:1450:400c:c0a::1a] said: 550-5.7.1 [2a02:c205:2009:6449::1] Our system has detected that this message 550-5.7.1 does not meet IPv6 sending guidelines regarding PTR records and 550-5.7.1 authentication. Please review 550-5.7.1 Email sender guidelines - Gmail Help for more information 550 5.7.1 . h7-20020adffa87000000b0032d569e72bcsi1414591wrr.954 - gsmtp (in reply to end of DATA command))

2023-10-11 12:36:53 info
dovecot [1500635]
service=lda, user=(((THE DESTINATION ADDRESS IN PLESK))), ip=[]. sieve: msgid=<bca08d27-b41e-d87d-a84f-924fe18ae71b@(((THE SENDER DOMAIN)))>: redirect action: forwarded to <[email protected]>

2023-10-11 12:36:53 info
plesk-sendmail [1500646]
S1500646: from=<(((THE SENDER ADDRESS OUTSIDE PLESK)))> to=<[email protected]>

 

[arunda2]

Hi. This is the maillog anonymized
I have removed lines in between, related with other operations

Oct 11 12:36:52 a3 postfix/smtpd[1494936]: connect from ((((SENDER DOMAIN))))[(((SENDER IP)))]
Oct 11 12:36:52 a3 postfix/smtpd[1494936]: 8110B3480612: client=((((SENDER DOMAIN))))[((((SENDER IP))))]
Oct 11 12:36:52 a3 psa-pc-remote[1383690]: 8110B3480612: from=<((((SENDER EMAIL))))> to=<((((EMAIL RECIPIENT IN PLESK))))>
Oct 11 12:36:52 a3 postfix/cleanup[1498592]: 8110B3480612: message-id=<bca08d27-b41e-d87d-a84f-924fe18ae71b@(((SENDER DOMAIN)))>
Oct 11 12:36:52 a3 psa-pc-remote[1383690]: 8110B3480612: py-limit-out: stderr: INFO:__main__:No SMTP AUTH and not running in sendmail context (incoming or unrestricted outgoing mail). SKIP message.
Oct 11 12:36:52 a3 psa-pc-remote[1383690]: 8110B3480612: py-limit-out: stderr: SKIP
Oct 11 12:36:52 a3 psa-pc-remote[1383690]: 8110B3480612: check-quota: stderr: SKIP
Oct 11 12:36:52 a3 psa-pc-remote[1383690]: 8110B3480612: spf: stderr: PASS
Oct 11 12:36:53 a3 qmail-queue[1500628]: scan: the message(drweb.tmp.E6teSD) sent by (((SENDER EMAIL))) to ((((RECIPIENT EMAIL)))) is passed
Oct 11 12:36:53 a3 psa-pc-remote[1383690]: 8110B3480612: drweb: stderr: PASS
Oct 11 12:36:53 a3 postfix/qmgr[2707320]: 8110B3480612: from=<((((SENDER EMAIL))))>, size=301394, nrcpt=1 (queue active)
Oct 11 12:36:53 a3 postfix/smtpd[1494936]: disconnect from ((((SENDER DOMAIN))))[((((SENDER IP))))] ehlo=2 starttls=1 mail=1 rcpt=1 bdat=2 quit=1 commands=8
Oct 11 12:36:53 a3 postfix-local[1500629]: 8110B3480612: from=<((((SENDER EMAIL))))>, to=<((((RECIPIENT EMAIL))))>, dirname=/var/qmail/mailnames
Oct 11 12:36:53 a3 spamc[1500631]: skipped message, greater than max message size (256000 bytes)
Oct 11 12:36:53 a3 postfix-local[1500629]: 8110B3480612: spam: stderr: PASS
Oct 11 12:36:53 a3 postfix-local[1500629]: 8110B3480612: dk_check: stderr: PASS
Oct 11 12:36:53 a3 plesk-sendmail[1500636]: S1500636: from=<((((SENDER EMAIL))))> to=<[email protected]>
Oct 11 12:36:53 a3 plesk-sendmail[1500637]: S1500636: add-from: stderr: SKIP
Oct 11 12:36:53 a3 postfix/smtpd[1496706]: connect from o16824537x94.outbound-mail.sendgrid.net[168.245.37.94]
Oct 11 12:36:53 a3 plesk-sendmail[1500637]: S1500636: py-limit-out: stderr: INFO:__main__:Setting 'X-PPP-Vhost' header to '((((MY PLESK DOMAIN))))'
Oct 11 12:36:53 a3 postfix/spawn[1496713]: warning: /usr/lib/plesk-9.0/postfix-srs: process id 1497634: command time limit exceeded
Oct 11 12:36:53 a3 plesk-sendmail[1500637]: S1500636: py-limit-out: stderr: PASS
Oct 11 12:36:53 a3 plesk-sendmail[1500637]: S1500636: check-quota: stderr: SKIP
Oct 11 12:36:53 a3 postfix/pickup[1494663]: 68CC03480663: uid=30 from=<((((SENDER EMAIL))))>
Oct 11 12:36:53 a3 postfix/cleanup[1498592]: 68CC03480663: message-id=<bca08d27-b41e-d87d-a84f-924fe18ae71b@((((SENDER DOMAIN))))>
Oct 11 12:36:53 a3 dovecot: service=lda, user=((((RECIPIENT EMAIL)))), ip=[]. sieve: msgid=<bca08d27-b41e-d87d-a84f-924fe18ae71b@((((SENDER DOMAIN))))>: redirect action: forwarded to <[email protected]>
Oct 11 12:36:53 a3 postfix/qmgr[2707320]: 68CC03480663: from=<((((SENDER EMAIL))))>, size=302201, nrcpt=1 (queue active)
Oct 11 12:36:53 a3 plesk-sendmail[1500646]: S1500646: from=<((((SENDER EMAIL))))> to=<[email protected]>
Oct 11 12:36:53 a3 plesk-sendmail[1500647]: S1500646: add-from: stderr: SKIP
Oct 11 12:36:53 a3 plesk-sendmail[1500647]: S1500646: py-limit-out: stderr: INFO:__main__:Setting 'X-PPP-Vhost' header to '((((MY PLESK DOMAIN))))'
Oct 11 12:36:53 a3 plesk-sendmail[1500647]: S1500646: py-limit-out: stderr: PASS
Oct 11 12:36:53 a3 plesk-sendmail[1500647]: S1500646: check-quota: stderr: SKIP
Oct 11 12:36:53 a3 postfix/pickup[1494663]: AA8D7348066B: uid=30 from=<((((SENDER EMAIL))))>
Oct 11 12:36:53 a3 postfix/cleanup[1498592]: AA8D7348066B: message-id=<bca08d27-b41e-d87d-a84f-924fe18ae71b@((((SENDER DOMAIN))))>
Oct 11 12:36:53 a3 dovecot: service=lda, user=((((RECIPIENT EMAIL)))), ip=[]. sieve: msgid=<bca08d27-b41e-d87d-a84f-924fe18ae71b@((((SENDER DOMAIN))))>: redirect action: forwarded to <[email protected]>
Oct 11 12:36:53 a3 postfix/qmgr[2707320]: AA8D7348066B: from=<((((SENDER EMAIL))))>, size=302201, nrcpt=1 (queue active)
Oct 11 12:36:53 a3 dovecot: service=lda, user=((((RECIPIENT EMAIL)))), ip=[]. sieve: msgid=<bca08d27-b41e-d87d-a84f-924fe18ae71b@((((SENDER DOMAIN))))>: stored mail into mailbox 'INBOX'
Oct 11 12:36:53 a3 postfix/pipe[1498315]: 8110B3480612: to=<((((RECIPIENT EMAIL))))>, relay=plesk_virtual, delay=1.3, delays=0.63/0/0/0.69, dsn=2.0.0, status=sent (delivered via plesk_virtual service)
Oct 11 12:36:53 a3 postfix/qmgr[2707320]: 8110B3480612: removed
Oct 11 12:36:54 a3 postfix/smtp[1500604]: AA8D7348066B: to=<[email protected]>, relay=gmail-smtp-in.l.google.com[2a00:1450:400c:c0a::1a]:25, delay=0.54, delays=0.02/0/0.14/0.38, dsn=5.7.1, status=bounced (host gmail-smtp-in.l.google.com[2a00:1450:400c:c0a::1a] said: 550-5.7.1 [2a02:c205:2009:6449::1] Our system has detected that this message 550-5.7.1 does not meet IPv6 sending guidelines regarding PTR records and 550-5.7.1 authentication. Please review 550-5.7.1 Email sender guidelines - Gmail Help for more information 550 5.7.1 . h7-20020adffa87000000b0032d569e72bcsi1414591wrr.954 - gsmtp (in reply to end of DATA command))
Oct 11 12:36:54 a3 postfix/cleanup[1500658]: 3B423348066C: message-id=<20231011103654.3B423348066C@((((MY PLESK DOMAIN))))>
Oct 11 12:36:54 a3 postfix/bounce[1500617]: AA8D7348066B: sender non-delivery notification: 3B423348066C
Oct 11 12:36:54 a3 postfix/qmgr[2707320]: 3B423348066C: from=<>, size=6528, nrcpt=1 (queue active)
Oct 11 12:36:54 a3 postfix/qmgr[2707320]: AA8D7348066B: removed
Oct 11 12:36:54 a3 postfix/smtp[1500615]: 68CC03480663: to=<[email protected]>, relay=gmail-smtp-in.l.google.com[64.233.167.27]:25, delay=0.83, delays=0.01/0/0.14/0.68, dsn=2.0.0, status=sent (250 2.0.0 OK 1697020614 h6-20020a05600c314600b004064e33309dsi8751936wmo.194 - gsmtp)
Oct 11 12:36:54 a3 postfix/qmgr[2707320]: 68CC03480663: removed
Oct 11 12:36:54 a3 psa-pc-remote[1383690]: 2068F3480612: py-limit-out: stderr: INFO:__main__:No SMTP AUTH and not running in sendmail context (incoming or unrestricted outgoing mail). SKIP message.
Oct 11 12:36:54 a3 psa-pc-remote[1383690]: 2068F3480612: py-limit-out: stderr: SKIP
Oct 11 12:36:54 a3 psa-pc-remote[1383690]: 2068F3480612: check-quota: stderr: SKIP
Oct 11 12:36:54 a3 psa-pc-remote[1383690]: 2068F3480612: spf: stderr: PASS

 

[Kaspar]

The line below from your log indicates a Dovecot forwarding rule.

Oct 11 12:36:53 a3 dovecot: service=lda, user=((((RECIPIENT EMAIL)))), ip=[]. sieve: msgid=<bca08d27-b41e-d87d-a84f-924fe18ae71b@((((SENDER DOMAIN))))>: redirect action: forwarded to <[email protected]>

Did you check the filter rules in webmail for this email account to see if there are forwarding rules present? I also strongly advise to change the password of the mailbox. As it might be compromised.

 

[arunda2]

This is the solution
Found filter rules in the webmail options to forward all the message to these two weird gmail addresses
Deleted it
And changed the password
Thanks

Now we need to discover if it happen because a virus in the user computer, that changed the webmail configuration using his passowrd . Or this is a different issue