well if qmailctl queue and or qmHandle do not see them I could zip the folder and remove those files.
Remo > On Aug 16, 2020, at 3:49 PM, Chas Hockenbarger <[email protected]> wrote: > > So I looked at a few of the files in the bounce folder and every one of them > is bounces back from Gmail for either bad addresses or just the reputation > bounce. > > Is there a down side to just blowing those away? > <> > From: Remo Mattei [mailto:[email protected]] > Sent: Sunday, August 16, 2020 5:43 PM > To: [email protected] > Subject: Re: [qmailtoaster] Distressing strange behavior > > BTW, I always use the -L on the qmHandle it should not change much but my 2 > cents. > > Remo > > >> On Aug 16, 2020, at 3:32 PM, Chas Hockenbarger <[email protected] >> <mailto:[email protected]>> wrote: >> >> Yes, I did check those, that was my first thought is that the server had >> been compromised and someone modified those files to do some weird thing. >> However, >> >> .qmail-root has one line &postmaster@<domain> >> .qmail-postmaster has one line &postmaster@<domain> >> .qmail-mailer-daemon has one line &postmaster@<domain> >> >> I see no other files in that directory. >> >> One more piece of info I just discovered. Even though qmHandle –l reports 0 >> messages in either the remote or local queue, the bounce queue directory has >> over 2000 messages in it. >> >> Could that be a contributing factor here? I don’t see how that would create >> random emails going to Gmail accounts from (seemingly) random other >> messages, but is it possible something is borked up in the queue processing >> there since Gmail is bouncing everything back to me? >> >> From: Remo Mattei [mailto:[email protected] <mailto:[email protected]>] >> Sent: Sunday, August 16, 2020 5:26 PM >> To: [email protected] >> <mailto:[email protected]> >> Subject: Re: [qmailtoaster] Distressing strange behavior >> >> did you check your qmail aliases? >> cd /var/qmail/alias/ >> >> what do those files say? >> >> >> >> >>> On Aug 16, 2020, at 3:10 PM, Chas Hockenbarger <[email protected] >>> <mailto:[email protected]>> wrote: >>> >>> Thanks, Boheme, and yes that’s a problem, but it’s a symptom of this >>> problem. Emails are going to Gmail accounts when users aren’t sending >>> them. Legit emails to Gmail accounts are definitely getting bounced, too, >>> which I have to deal with later. If I can’t stop this weird spamming to >>> them, I can’t recover the reputation. >>> >>> From: Boheme [mailto:[email protected] <mailto:[email protected]>] >>> Sent: Sunday, August 16, 2020 4:59 PM >>> To: [email protected] >>> <mailto:[email protected]> >>> Subject: Re: [qmailtoaster] Distressing strange behavior >>> >>> It doesn’t sound like you are being repeatedly hacked. It sounds like your >>> reputation dropped with google, and certain emails trigger their anti-spam >>> filtering now. Not all of them, just some. I have problems with Google >>> accepting email regularly sometimes, and dropping other emails into >>> people’s spam folders, as a result of too many of my users forwarding email >>> to google and those forwards passing along a lot of spam to their addresses >>> on my server. >>> >>> -Sent from my Pip-Boy 3000 >>> >>> >>> >>> >>>> On 17/08/2020, at 8:46 AM, Charles Hockenbarger <[email protected] >>>> <mailto:[email protected]>> wrote: >>>> >>>> >>>> As I understand the forwards setup in qmailadmin those are in the >>>> database, right? >>>> >>>> The address that was compromised hasn't sent any email since the password >>>> change. >>>> >>>> I hadn't thought about looking at qmail-inject. I'll dig into watching >>>> that part of the process. >>>> >>>> Get TypeApp for Android <http://www.typeapp.com/r?b=15986> >>>> On Aug 16, 2020, at 3:14 PM, Eric Broch <[email protected] >>>> <mailto:[email protected]>> wrote: >>>>> How do you have your forwards set up? >>>>> Is there any mail in your queue? >>>>> If someone hacked an account on your server with forwards to gmail >>>>> accounts they aren't limited to just these forwards, they also have the >>>>> option in the email client to add gmail accounts in the "To:" field of >>>>> the email they're sending, thus bounces from gmail accounts that aren't >>>>> in your forwards file. >>>>> Also, qmail-inject puts mail in the queue and you'll see it in the send >>>>> log. >>>>> >>>>> On 8/16/2020 10:05 AM, Chas Hockenbarger wrote: >>>>>> I'm hoping someone has encountered this weird behavior or something like >>>>>> it before and can point me down a path, because all my research has >>>>>> turned up nothing so far. >>>>>> >>>>>> I had an email account recently get breached due to a re-used password, >>>>>> and that account was used to send a bunch of spam out from a server I >>>>>> help manage. We changed the password on the account as soon as we found >>>>>> it happening and the outbound flood stopped. >>>>>> >>>>>> Shortly after that, however, I started seeing a very, very strange >>>>>> behavior. Sometimes, and I haven’t yet been able to identify the >>>>>> trigger or pattern, when users on this server send email to a forward >>>>>> that contains around 50 or so email addresses (they use it like a >>>>>> private distribution list) they will get anywhere from 1-10 bounces from >>>>>> Gmail. Not every email sent to the forward has this happen, and not >>>>>> even every email from a particular user. >>>>>> >>>>>> The outbound spamming caused the server’s reputation to go in the tank >>>>>> with Google, and if it weren’t for that, I wouldn’t know this was >>>>>> happening, because they get the bounces from Gmail accounts that >>>>>> absolutely ARE NOT in the forward or part of the email chain AT ALL. >>>>>> >>>>>> I’m kind of freaking out here because while I haven’t found a breach of >>>>>> the actual server / OS, this feels like someone has been able to inject >>>>>> something somewhere into my server that I simply can’t find. It is >>>>>> especially troubling because a user who is not on this domain, but is >>>>>> part of the group and therefore uses the forward from time to time, sent >>>>>> something to the forward today and got Gmail bounces. >>>>>> >>>>>> I don’t see anything in the send log that shows the server even trying >>>>>> to send to Gmail, which only adds to the ghost story. >>>>>> >>>>>> Any ideas, paths to go down, anything would be greatly appreciated here. >>>>>> I’m about to just rebuild the whole thing from scratch on a new VM, but >>>>>> if I’m overlooking something simple don’t want to put the users through >>>>>> that. >>>>>> >>>>>> Thanks in advance. >>>>>> >>>>>> Chas
