As I understand the forwards setup in qmailadmin those are in the database, right?
The address that was compromised hasn't sent any email since the password change. I hadn't thought about looking at qmail-inject. I'll dig into watching that part of the process. Get TypeApp for Android On Aug 16, 2020, 3:14 PM, at 3:14 PM, Eric Broch <[email protected]> wrote: >How do you have your forwards set up? > >Is there any mail in your queue? > >If someone hacked an account on your server with forwards to gmail >accounts they aren't limited to just these forwards, they also have the > >option in the email client to add gmail accounts in the "To:" field of >the email they're sending, thus bounces from gmail accounts that aren't > >in your forwards file. > >Also, qmail-inject puts mail in the queue and you'll see it in the send >log. > > >On 8/16/2020 10:05 AM, Chas Hockenbarger wrote: >> >> I'm hoping someone has encountered this weird behavior or something >> like it before and can point me down a path, because all my research >> has turned up nothing so far. >> >> I had an email account recently get breached due to a re-used >> password, and that account was used to send a bunch of spam out from >a >> server I help manage. We changed the password on the account as soon > >> as we found it happening and the outbound flood stopped. >> >> Shortly after that, however, I started seeing a very, very strange >> behavior. Sometimes, and I haven’t yet been able to identify the >> trigger or pattern, when users on this server send email to a forward > >> that contains around 50 or so email addresses (they use it like a >> private distribution list) they will get anywhere from 1-10 bounces >> from Gmail. Not every email sent to the forward has this happen, and > >> not even every email from a particular user. >> >> The outbound spamming caused the server’s reputation to go in the >tank >> with Google, and if it weren’t for that, I wouldn’t know this was >> happening, because they get the bounces from Gmail accounts that >> absolutely ARE NOT in the forward or part of the email chain AT ALL. >> >> I’m kind of freaking out here because while I haven’t found a breach >> of the actual server / OS, this feels like someone has been able to >> inject something somewhere into my server that I simply can’t find. >> It is especially troubling because a user who is not on this domain, >> but is part of the group and therefore uses the forward from time to >> time, sent something to the forward today and got Gmail bounces. >> >> I don’t see anything in the send log that shows the server even >trying >> to send to Gmail, which only adds to the ghost story. >> >> Any ideas, paths to go down, anything would be greatly appreciated >> here. I’m about to just rebuild the whole thing from scratch on a >new >> VM, but if I’m overlooking something simple don’t want to put the >> users through that. >> >> Thanks in advance. >> >> Chas >>
