It doesn’t sound like you are being repeatedly hacked. It sounds like your reputation dropped with google, and certain emails trigger their anti-spam filtering now. Not all of them, just some. I have problems with Google accepting email regularly sometimes, and dropping other emails into people’s spam folders, as a result of too many of my users forwarding email to google and those forwards passing along a lot of spam to their addresses on my server.
-Sent from my Pip-Boy 3000 > On 17/08/2020, at 8:46 AM, Charles Hockenbarger <[email protected]> wrote: > > > As I understand the forwards setup in qmailadmin those are in the database, > right? > > The address that was compromised hasn't sent any email since the password > change. > > I hadn't thought about looking at qmail-inject. I'll dig into watching that > part of the process. > > Get TypeApp for Android >> On Aug 16, 2020, at 3:14 PM, Eric Broch <[email protected]> wrote: >> How do you have your forwards set up? >> >> Is there any mail in your queue? >> >> If someone hacked an account on your server with forwards to gmail accounts >> they aren't limited to just these forwards, they also have the option in the >> email client to add gmail accounts in the "To:" field of the email they're >> sending, thus bounces from gmail accounts that aren't in your forwards file. >> >> Also, qmail-inject puts mail in the queue and you'll see it in the send log. >> >> >> >>> On 8/16/2020 10:05 AM, Chas Hockenbarger wrote: >>> I'm hoping someone has encountered this weird behavior or something like it >>> before and can point me down a path, because all my research has turned up >>> nothing so far. >>> >>> >>> I had an email account recently get breached due to a re-used password, and >>> that account was used to send a bunch of spam out from a server I help >>> manage. We changed the password on the account as soon as we found it >>> happening and the outbound flood stopped. >>> >>> >>> Shortly after that, however, I started seeing a very, very strange >>> behavior. Sometimes, and I haven’t yet been able to identify the trigger >>> or pattern, when users on this server send email to a forward that contains >>> around 50 or so email addresses (they use it like a private distribution >>> list) they will get anywhere from 1-10 bounces from Gmail. Not every email >>> sent to the forward has this happen, and not even every email from a >>> particular user. >>> >>> >>> The outbound spamming caused the server’s reputation to go in the tank with >>> Google, and if it weren’t for that, I wouldn’t know this was happening, >>> because they get the bounces from Gmail accounts that absolutely ARE NOT in >>> the forward or part of the email chain AT ALL. >>> >>> >>> I’m kind of freaking out here because while I haven’t found a breach of the >>> actual server / OS, this feels like someone has been able to inject >>> something somewhere into my server that I simply can’t find. It is >>> especially troubling because a user who is not on this domain, but is part >>> of the group and therefore uses the forward from time to time, sent >>> something to the forward today and got Gmail bounces. >>> >>> >>> I don’t see anything in the send log that shows the server even trying to >>> send to Gmail, which only adds to the ghost story. >>> >>> >>> Any ideas, paths to go down, anything would be greatly appreciated here. >>> I’m about to just rebuild the whole thing from scratch on a new VM, but if >>> I’m overlooking something simple don’t want to put the users through that. >>> >>> >>> Thanks in advance. >>> >>> >>> Chas
