Thanks, Remo. I don't see any http logins for the compromised account but I'll try there.
Sorry for the stupid question, but how do we up the logging level for qmail logs? I've never had to do that and my searching hasn't shown me anything. I've got debug on for dovecot, though that's not really where the problem seems to be. Get TypeApp for Android On Aug 16, 2020, 11:17 AM, at 11:17 AM, [email protected] wrote: >I would suggest to stop httpd normally when I saw something like that >in one of my old server that i now displaced and replaced with CentOS 7 >the user found that loop to send. I would enable debug on all outgoing >which is how I found that hole. > >It sucks I know. For google that’s something more work for reputation. > >Ciao >> Il giorno 16 ago 2020, alle ore 09:05, Chas Hockenbarger ><[email protected]> ha scritto: >> >> >> I'm hoping someone has encountered this weird behavior or something >like it before and can point me down a path, because all my research >has turned up nothing so far. >> >> I had an email account recently get breached due to a re-used >password, and that account was used to send a bunch of spam out from a >server I help manage. We changed the password on the account as soon >as we found it happening and the outbound flood stopped. >> >> Shortly after that, however, I started seeing a very, very strange >behavior. Sometimes, and I haven’t yet been able to identify the >trigger or pattern, when users on this server send email to a forward >that contains around 50 or so email addresses (they use it like a >private distribution list) they will get anywhere from 1-10 bounces >from Gmail. Not every email sent to the forward has this happen, and >not even every email from a particular user. >> >> The outbound spamming caused the server’s reputation to go in the >tank with Google, and if it weren’t for that, I wouldn’t know this was >happening, because they get the bounces from Gmail accounts that >absolutely ARE NOT in the forward or part of the email chain AT ALL. >> >> I’m kind of freaking out here because while I haven’t found a breach >of the actual server / OS, this feels like someone has been able to >inject something somewhere into my server that I simply can’t find. It >is especially troubling because a user who is not on this domain, but >is part of the group and therefore uses the forward from time to time, >sent something to the forward today and got Gmail bounces. >> >> I don’t see anything in the send log that shows the server even >trying to send to Gmail, which only adds to the ghost story. >> >> Any ideas, paths to go down, anything would be greatly appreciated >here. I’m about to just rebuild the whole thing from scratch on a new >VM, but if I’m overlooking something simple don’t want to put the users >through that. >> >> Thanks in advance. >> >> Chas > > >------------------------------------------------------------------------ > >--------------------------------------------------------------------- >To unsubscribe, e-mail: [email protected] >For additional commands, e-mail: >[email protected]
