Yes, I did check those, that was my first thought is that the server had been compromised and someone modified those files to do some weird thing. However,
.qmail-root has one line &postmaster@<domain> .qmail-postmaster has one line &postmaster@<domain> .qmail-mailer-daemon has one line &postmaster@<domain> I see no other files in that directory. One more piece of info I just discovered. Even though qmHandle –l reports 0 messages in either the remote or local queue, the bounce queue directory has over 2000 messages in it. Could that be a contributing factor here? I don’t see how that would create random emails going to Gmail accounts from (seemingly) random other messages, but is it possible something is borked up in the queue processing there since Gmail is bouncing everything back to me? From: Remo Mattei [mailto:[email protected]] Sent: Sunday, August 16, 2020 5:26 PM To: [email protected] Subject: Re: [qmailtoaster] Distressing strange behavior did you check your qmail aliases? cd /var/qmail/alias/ what do those files say? On Aug 16, 2020, at 3:10 PM, Chas Hockenbarger <[email protected] <mailto:[email protected]> > wrote: Thanks, Boheme, and yes that’s a problem, but it’s a symptom of this problem. Emails are going to Gmail accounts when users aren’t sending them. Legit emails to Gmail accounts are definitely getting bounced, too, which I have to deal with later. If I can’t stop this weird spamming to them, I can’t recover the reputation. From: Boheme [mailto:[email protected]] Sent: Sunday, August 16, 2020 4:59 PM To: [email protected] <mailto:[email protected]> Subject: Re: [qmailtoaster] Distressing strange behavior It doesn’t sound like you are being repeatedly hacked. It sounds like your reputation dropped with google, and certain emails trigger their anti-spam filtering now. Not all of them, just some. I have problems with Google accepting email regularly sometimes, and dropping other emails into people’s spam folders, as a result of too many of my users forwarding email to google and those forwards passing along a lot of spam to their addresses on my server. -Sent from my Pip-Boy 3000 On 17/08/2020, at 8:46 AM, Charles Hockenbarger < <mailto:[email protected]> [email protected]> wrote: As I understand the forwards setup in qmailadmin those are in the database, right? The address that was compromised hasn't sent any email since the password change. I hadn't thought about looking at qmail-inject. I'll dig into watching that part of the process. Get <http://www.typeapp.com/r?b=15986> TypeApp for Android On Aug 16, 2020, at 3:14 PM, Eric Broch < <mailto:[email protected]> [email protected]> wrote: How do you have your forwards set up? Is there any mail in your queue? If someone hacked an account on your server with forwards to gmail accounts they aren't limited to just these forwards, they also have the option in the email client to add gmail accounts in the "To:" field of the email they're sending, thus bounces from gmail accounts that aren't in your forwards file. Also, qmail-inject puts mail in the queue and you'll see it in the send log. On 8/16/2020 10:05 AM, Chas Hockenbarger wrote: I'm hoping someone has encountered this weird behavior or something like it before and can point me down a path, because all my research has turned up nothing so far. I had an email account recently get breached due to a re-used password, and that account was used to send a bunch of spam out from a server I help manage. We changed the password on the account as soon as we found it happening and the outbound flood stopped. Shortly after that, however, I started seeing a very, very strange behavior. Sometimes, and I haven’t yet been able to identify the trigger or pattern, when users on this server send email to a forward that contains around 50 or so email addresses (they use it like a private distribution list) they will get anywhere from 1-10 bounces from Gmail. Not every email sent to the forward has this happen, and not even every email from a particular user. The outbound spamming caused the server’s reputation to go in the tank with Google, and if it weren’t for that, I wouldn’t know this was happening, because they get the bounces from Gmail accounts that absolutely ARE NOT in the forward or part of the email chain AT ALL. I’m kind of freaking out here because while I haven’t found a breach of the actual server / OS, this feels like someone has been able to inject something somewhere into my server that I simply can’t find. It is especially troubling because a user who is not on this domain, but is part of the group and therefore uses the forward from time to time, sent something to the forward today and got Gmail bounces. I don’t see anything in the send log that shows the server even trying to send to Gmail, which only adds to the ghost story. Any ideas, paths to go down, anything would be greatly appreciated here. I’m about to just rebuild the whole thing from scratch on a new VM, but if I’m overlooking something simple don’t want to put the users through that. Thanks in advance. Chas
