do a tree in /var/qmail/queue that shows all the msg you got even though the qmHandle does not show it. I could check that and read some of those files.
> On Aug 16, 2020, at 3:32 PM, Chas Hockenbarger <[email protected]> wrote: > > Yes, I did check those, that was my first thought is that the server had been > compromised and someone modified those files to do some weird thing. > However, > > .qmail-root has one line &postmaster@<domain> > .qmail-postmaster has one line &postmaster@<domain> > .qmail-mailer-daemon has one line &postmaster@<domain> > > I see no other files in that directory. > > One more piece of info I just discovered. Even though qmHandle –l reports 0 > messages in either the remote or local queue, the bounce queue directory has > over 2000 messages in it. > > Could that be a contributing factor here? I don’t see how that would create > random emails going to Gmail accounts from (seemingly) random other messages, > but is it possible something is borked up in the queue processing there since > Gmail is bouncing everything back to me? > <> > From: Remo Mattei [mailto:[email protected]] > Sent: Sunday, August 16, 2020 5:26 PM > To: [email protected] > Subject: Re: [qmailtoaster] Distressing strange behavior > > did you check your qmail aliases? > cd /var/qmail/alias/ > > what do those files say? > > > >> On Aug 16, 2020, at 3:10 PM, Chas Hockenbarger <[email protected] >> <mailto:[email protected]>> wrote: >> >> Thanks, Boheme, and yes that’s a problem, but it’s a symptom of this >> problem. Emails are going to Gmail accounts when users aren’t sending them. >> Legit emails to Gmail accounts are definitely getting bounced, too, which I >> have to deal with later. If I can’t stop this weird spamming to them, I >> can’t recover the reputation. >> >> From: Boheme [mailto:[email protected] <mailto:[email protected]>] >> Sent: Sunday, August 16, 2020 4:59 PM >> To: [email protected] >> <mailto:[email protected]> >> Subject: Re: [qmailtoaster] Distressing strange behavior >> >> It doesn’t sound like you are being repeatedly hacked. It sounds like your >> reputation dropped with google, and certain emails trigger their anti-spam >> filtering now. Not all of them, just some. I have problems with Google >> accepting email regularly sometimes, and dropping other emails into people’s >> spam folders, as a result of too many of my users forwarding email to google >> and those forwards passing along a lot of spam to their addresses on my >> server. >> >> -Sent from my Pip-Boy 3000 >> >> >> >>> On 17/08/2020, at 8:46 AM, Charles Hockenbarger <[email protected] >>> <mailto:[email protected]>> wrote: >>> >>> >>> As I understand the forwards setup in qmailadmin those are in the database, >>> right? >>> >>> The address that was compromised hasn't sent any email since the password >>> change. >>> >>> I hadn't thought about looking at qmail-inject. I'll dig into watching that >>> part of the process. >>> >>> Get TypeApp for Android <http://www.typeapp.com/r?b=15986> >>> On Aug 16, 2020, at 3:14 PM, Eric Broch <[email protected] >>> <mailto:[email protected]>> wrote: >>>> How do you have your forwards set up? >>>> Is there any mail in your queue? >>>> If someone hacked an account on your server with forwards to gmail >>>> accounts they aren't limited to just these forwards, they also have the >>>> option in the email client to add gmail accounts in the "To:" field of the >>>> email they're sending, thus bounces from gmail accounts that aren't in >>>> your forwards file. >>>> Also, qmail-inject puts mail in the queue and you'll see it in the send >>>> log. >>>> >>>> On 8/16/2020 10:05 AM, Chas Hockenbarger wrote: >>>>> I'm hoping someone has encountered this weird behavior or something like >>>>> it before and can point me down a path, because all my research has >>>>> turned up nothing so far. >>>>> >>>>> I had an email account recently get breached due to a re-used password, >>>>> and that account was used to send a bunch of spam out from a server I >>>>> help manage. We changed the password on the account as soon as we found >>>>> it happening and the outbound flood stopped. >>>>> >>>>> Shortly after that, however, I started seeing a very, very strange >>>>> behavior. Sometimes, and I haven’t yet been able to identify the trigger >>>>> or pattern, when users on this server send email to a forward that >>>>> contains around 50 or so email addresses (they use it like a private >>>>> distribution list) they will get anywhere from 1-10 bounces from Gmail. >>>>> Not every email sent to the forward has this happen, and not even every >>>>> email from a particular user. >>>>> >>>>> The outbound spamming caused the server’s reputation to go in the tank >>>>> with Google, and if it weren’t for that, I wouldn’t know this was >>>>> happening, because they get the bounces from Gmail accounts that >>>>> absolutely ARE NOT in the forward or part of the email chain AT ALL. >>>>> >>>>> I’m kind of freaking out here because while I haven’t found a breach of >>>>> the actual server / OS, this feels like someone has been able to inject >>>>> something somewhere into my server that I simply can’t find. It is >>>>> especially troubling because a user who is not on this domain, but is >>>>> part of the group and therefore uses the forward from time to time, sent >>>>> something to the forward today and got Gmail bounces. >>>>> >>>>> I don’t see anything in the send log that shows the server even trying to >>>>> send to Gmail, which only adds to the ghost story. >>>>> >>>>> Any ideas, paths to go down, anything would be greatly appreciated here. >>>>> I’m about to just rebuild the whole thing from scratch on a new VM, but >>>>> if I’m overlooking something simple don’t want to put the users through >>>>> that. >>>>> >>>>> Thanks in advance. >>>>> >>>>> Chas
