In your .qmail-default file for the domain it's recommended to use
'delete' instead of 'bounce-no-mailbox'
On 8/17/2020 8:14 AM, Chas Hockenbarger wrote:
Thanks, Angus. I searched the whole system for a .forward and there aren't any
on the system I can find.
I'm not seeing anything that is obvious here. I appreciate all the feedback
and help, there were definitely suggestions made I hadn't chased yet. I'm
perplexed to say the least. I deleted all the messages from the bounce queue
and will see if that rectifies the situation or not. I'm watching this system
like a hawk so hopefully if something that is more 'normal' looking is going on
I'll be able to catch it.
If I find the culprit I'll absolutely update this thread. If anyone has any
other ideas, I'd love to hear them as well.
-----Original Message-----
From: Angus McIntyre [mailto:[email protected]]
Sent: Monday, August 17, 2020 5:44 AM
To: [email protected]; Chas Hockenbarger <[email protected]>
Subject: Re: [qmailtoaster] Distressing strange behavior
Check for a '.forward' file in '/root'?
That could account for the status report going somewhere other than where it's
supposed to, but might not explain the other issues you're seeing.
Angus
Chas Hockenbarger wrote on 8/16/20 6:09 PM:
I just got another piece of information. I got a failure message a
few hours ago to the postmaster account for this domain that a message
from root to root was not delivered to 5 different Gmail accounts.
The email was the cron.daily status report. There is no way that
should be going to these Gmail accounts. They are accounts I don’t
know and root at this server is supposed to go to postmaster.
This just keeps getting weirder.
*From:* Eric Broch [mailto:[email protected]]
*Sent:* Sunday, August 16, 2020 4:13 PM
*To:* [email protected]
*Subject:* Re: [qmailtoaster] Distressing strange behavior
Yes forwards can be in a .qmail file or in the vpopmail database.
So, the bounces occurring presently, what's the originating account?
Is there anything in your queue (# qmailctl queue)?
On 8/16/2020 2:46 PM, Charles Hockenbarger wrote:
As I understand the forwards setup in qmailadmin those are in the
database, right?
The address that was compromised hasn't sent any email since the
password change.
I hadn't thought about looking at qmail-inject. I'll dig into
watching that part of the process.
Get TypeApp for Android <http://www.typeapp.com/r?b=15986>
On Aug 16, 2020, at 3:14 PM, Eric Broch <[email protected]
<mailto:[email protected]>> wrote:
How do you have your forwards set up?
Is there any mail in your queue?
If someone hacked an account on your server with forwards to
gmail accounts they aren't limited to just these forwards, they
also have the option in the email client to add gmail accounts
in the "To:" field of the email they're sending, thus bounces
from gmail accounts that aren't in your forwards file.
Also, qmail-inject puts mail in the queue and you'll see it in
the send log.
On 8/16/2020 10:05 AM, Chas Hockenbarger wrote:
I'm hoping someone has encountered this weird behavior or
something like it before and can point me down a path,
because all my research has turned up nothing so far.
I had an email account recently get breached due to a
re-used password, and that account was used to send a bunch
of spam out from a server I help manage. We changed the
password on the account as soon as we found it happening and
the outbound flood stopped.
Shortly after that, however, I started seeing a very, very
strange behavior. Sometimes, and I haven’t yet been able to
identify the trigger or pattern, when users on this server
send email to a forward that contains around 50 or so email
addresses (they use it like a private distribution list)
they will get anywhere from 1-10 bounces from Gmail. Not
every email sent to the forward has this happen, and not
even every email from a particular user.
The outbound spamming caused the server’s reputation to go
in the tank with Google, and if it weren’t for that, I
wouldn’t know this was happening, because they get the
bounces from Gmail accounts that absolutely ARE NOT in the
forward or part of the email chain AT ALL.
I’m kind of freaking out here because while I haven’t found
a breach of the actual server / OS, this feels like someone
has been able to inject something somewhere into my server
that I simply can’t find. It is especially troubling
because a user who is not on this domain, but is part of the
group and therefore uses the forward from time to time, sent
something to the forward today and got Gmail bounces.
I don’t see anything in the send log that shows the server
even trying to send to Gmail, which only adds to the ghost
story.
Any ideas, paths to go down, anything would be greatly
appreciated here. I’m about to just rebuild the whole thing
from scratch on a new VM, but if I’m overlooking something
simple don’t want to put the users through that.
Thanks in advance.
Chas
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
