did you check your qmail aliases? cd /var/qmail/alias/ what do those files say?
> On Aug 16, 2020, at 3:10 PM, Chas Hockenbarger <[email protected]> wrote: > > Thanks, Boheme, and yes that’s a problem, but it’s a symptom of this problem. > Emails are going to Gmail accounts when users aren’t sending them. Legit > emails to Gmail accounts are definitely getting bounced, too, which I have to > deal with later. If I can’t stop this weird spamming to them, I can’t > recover the reputation. > <> > From: Boheme [mailto:[email protected]] > Sent: Sunday, August 16, 2020 4:59 PM > To: [email protected] > Subject: Re: [qmailtoaster] Distressing strange behavior > > It doesn’t sound like you are being repeatedly hacked. It sounds like your > reputation dropped with google, and certain emails trigger their anti-spam > filtering now. Not all of them, just some. I have problems with Google > accepting email regularly sometimes, and dropping other emails into people’s > spam folders, as a result of too many of my users forwarding email to google > and those forwards passing along a lot of spam to their addresses on my > server. > > -Sent from my Pip-Boy 3000 > > >> On 17/08/2020, at 8:46 AM, Charles Hockenbarger <[email protected] >> <mailto:[email protected]>> wrote: >> >> >> As I understand the forwards setup in qmailadmin those are in the database, >> right? >> >> The address that was compromised hasn't sent any email since the password >> change. >> >> I hadn't thought about looking at qmail-inject. I'll dig into watching that >> part of the process. >> >> Get TypeApp for Android <http://www.typeapp.com/r?b=15986> >> On Aug 16, 2020, at 3:14 PM, Eric Broch <[email protected] >> <mailto:[email protected]>> wrote: >>> How do you have your forwards set up? >>> >>> Is there any mail in your queue? >>> >>> If someone hacked an account on your server with forwards to gmail accounts >>> they aren't limited to just these forwards, they also have the option in >>> the email client to add gmail accounts in the "To:" field of the email >>> they're sending, thus bounces from gmail accounts that aren't in your >>> forwards file. >>> >>> Also, qmail-inject puts mail in the queue and you'll see it in the send log. >>> >>> >>> >>> On 8/16/2020 10:05 AM, Chas Hockenbarger wrote: >>>> I'm hoping someone has encountered this weird behavior or something like >>>> it before and can point me down a path, because all my research has turned >>>> up nothing so far. >>>> >>>> >>>> I had an email account recently get breached due to a re-used password, >>>> and that account was used to send a bunch of spam out from a server I help >>>> manage. We changed the password on the account as soon as we found it >>>> happening and the outbound flood stopped. >>>> >>>> >>>> Shortly after that, however, I started seeing a very, very strange >>>> behavior. Sometimes, and I haven’t yet been able to identify the trigger >>>> or pattern, when users on this server send email to a forward that >>>> contains around 50 or so email addresses (they use it like a private >>>> distribution list) they will get anywhere from 1-10 bounces from Gmail. >>>> Not every email sent to the forward has this happen, and not even every >>>> email from a particular user. >>>> >>>> >>>> The outbound spamming caused the server’s reputation to go in the tank >>>> with Google, and if it weren’t for that, I wouldn’t know this was >>>> happening, because they get the bounces from Gmail accounts that >>>> absolutely ARE NOT in the forward or part of the email chain AT ALL. >>>> >>>> >>>> I’m kind of freaking out here because while I haven’t found a breach of >>>> the actual server / OS, this feels like someone has been able to inject >>>> something somewhere into my server that I simply can’t find. It is >>>> especially troubling because a user who is not on this domain, but is part >>>> of the group and therefore uses the forward from time to time, sent >>>> something to the forward today and got Gmail bounces. >>>> >>>> >>>> I don’t see anything in the send log that shows the server even trying to >>>> send to Gmail, which only adds to the ghost story. >>>> >>>> >>>> Any ideas, paths to go down, anything would be greatly appreciated here. >>>> I’m about to just rebuild the whole thing from scratch on a new VM, but if >>>> I’m overlooking something simple don’t want to put the users through that. >>>> >>>> >>>> Thanks in advance. >>>> >>>> >>>> Chas
