There are only 2 files found. One is in a user’s directory, and the
file contains this line:
<user>/Maildir
The other is in the top of the domain, labeled .qmail-default, which
contains
| /home/vpopmail/bin/vdelivermail ‘’ bounce-no-mailbox
*From:*Eric Broch [mailto:[email protected]]
*Sent:* Sunday, August 16, 2020 7:40 PM
*To:* [email protected]
*Subject:* Re: [qmailtoaster] Distressing strange behavior
Do this:
# ls -la /home/vpopmail/domains/'mydomain'/postmaster/
look for a .qmail file.
In fact you could do this
# find /home/vpopmail/domains/ -name ".qmail*"
The .qmail is also a way to forward.
On 8/16/2020 4:49 PM, Chas Hockenbarger wrote:
So I looked at a few of the files in the bounce folder and every
one of them is bounces back from Gmail for either bad addresses or
just the reputation bounce.
Is there a down side to just blowing those away?
*From:*Remo Mattei [mailto:[email protected]]
*Sent:* Sunday, August 16, 2020 5:43 PM
*To:* [email protected]
<mailto:[email protected]>
*Subject:* Re: [qmailtoaster] Distressing strange behavior
BTW, I always use the -L on the qmHandle it should not change much
but my 2 cents.
Remo
On Aug 16, 2020, at 3:32 PM, Chas Hockenbarger
<[email protected] <mailto:[email protected]>> wrote:
Yes, I did check those, that was my first thought is that the
server had been compromised and someone modified those files
to do some weird thing. However,
.qmail-root has one line &postmaster@<domain>
.qmail-postmaster has one line &postmaster@<domain>
.qmail-mailer-daemon has one line &postmaster@<domain>
I see no other files in that directory.
One more piece of info I just discovered. Even though
qmHandle –l reports 0 messages in either the remote or local
queue, the bounce queue directory has over 2000 messages in it.
Could that be a contributing factor here? I don’t see how
that would create random emails going to Gmail accounts from
(seemingly) random other messages, but is it possible
something is borked up in the queue processing there since
Gmail is bouncing everything back to me?
*From:*Remo Mattei [mailto:[email protected]]
*Sent:*Sunday, August 16, 2020 5:26 PM
*To:*[email protected]
<mailto:[email protected]>
*Subject:*Re: [qmailtoaster] Distressing strange behavior
did you check your qmail aliases?
cd /var/qmail/alias/
what do those files say?
On Aug 16, 2020, at 3:10 PM, Chas Hockenbarger
<[email protected] <mailto:[email protected]>> wrote:
Thanks, Boheme, and yes that’s a problem, but it’s a
symptom of this problem. Emails are going to Gmail
accounts when users aren’t sending them. Legit emails to
Gmail accounts are definitely getting bounced, too, which
I have to deal with later. If I can’t stop this weird
spamming to them, I can’t recover the reputation.
*From:*Boheme [mailto:[email protected]]
*Sent:*Sunday, August 16, 2020 4:59 PM
*To:*[email protected]
<mailto:[email protected]>
*Subject:*Re: [qmailtoaster] Distressing strange behavior
It doesn’t sound like you are being repeatedly hacked. It
sounds like your reputation dropped with google, and
certain emails trigger their anti-spam filtering now. Not
all of them, just some. I have problems with Google
accepting email regularly sometimes, and dropping other
emails into people’s spam folders, as a result of too many
of my users forwarding email to google and those forwards
passing along a lot of spam to their addresses on my server.
-Sent from my Pip-Boy 3000
On 17/08/2020, at 8:46 AM, Charles Hockenbarger
<[email protected] <mailto:[email protected]>> wrote:
As I understand the forwards setup in qmailadmin those
are in the database, right?
The address that was compromised hasn't sent any email
since the password change.
I hadn't thought about looking at qmail-inject. I'll
dig into watching that part of the process.
GetTypeApp for Android <http://www.typeapp.com/r?b=15986>
On Aug 16, 2020, at 3:14 PM, Eric Broch
<[email protected]
<mailto:[email protected]>> wrote:
How do you have your forwards set up?
Is there any mail in your queue?
If someone hacked an account on your server with
forwards to gmail accounts they aren't limited to
just these forwards, they also have the option in
the email client to add gmail accounts in the
"To:" field of the email they're sending, thus
bounces from gmail accounts that aren't in your
forwards file.
Also, qmail-inject puts mail in the queue and
you'll see it in the send log.
On 8/16/2020 10:05 AM, Chas Hockenbarger wrote:
I'm hoping someone has encountered this weird
behavior or something like it before and can
point me down a path, because all my research
has turned up nothing so far.
I had an email account recently get breached
due to a re-used password, and that account
was used to send a bunch of spam out from a
server I help manage. We changed the password
on the account as soon as we found it
happening and the outbound flood stopped.
Shortly after that, however, I started seeing
a very, very strange behavior. Sometimes, and
I haven’t yet been able to identify the
trigger or pattern, when users on this server
send email to a forward that contains around
50 or so email addresses (they use it like a
private distribution list) they will get
anywhere from 1-10 bounces from Gmail. Not
every email sent to the forward has this
happen, and not even every email from a
particular user.
The outbound spamming caused the server’s
reputation to go in the tank with Google, and
if it weren’t for that, I wouldn’t know this
was happening, because they get the bounces
from Gmail accounts that absolutely ARE NOT in
the forward or part of the email chain AT ALL.
I’m kind of freaking out here because while I
haven’t found a breach of the actual server /
OS, this feels like someone has been able to
inject something somewhere into my server that
I simply can’t find. It is especially
troubling because a user who is not on this
domain, but is part of the group and therefore
uses the forward from time to time, sent
something to the forward today and got Gmail
bounces.
I don’t see anything in the send log that
shows the server even trying to send to Gmail,
which only adds to the ghost story.
Any ideas, paths to go down, anything would be
greatly appreciated here. I’m about to just
rebuild the whole thing from scratch on a new
VM, but if I’m overlooking something simple
don’t want to put the users through that.
Thanks in advance.
Chas
