Thanks Eric, I'll make that change. -----Original Message----- From: Eric Broch [mailto:[email protected]] Sent: Monday, August 17, 2020 9:21 AM To: [email protected] Subject: Re: [qmailtoaster] Distressing strange behavior
In your .qmail-default file for the domain it's recommended to use 'delete' instead of 'bounce-no-mailbox' On 8/17/2020 8:14 AM, Chas Hockenbarger wrote: > Thanks, Angus. I searched the whole system for a .forward and there aren't > any on the system I can find. > > I'm not seeing anything that is obvious here. I appreciate all the feedback > and help, there were definitely suggestions made I hadn't chased yet. I'm > perplexed to say the least. I deleted all the messages from the bounce queue > and will see if that rectifies the situation or not. I'm watching this > system like a hawk so hopefully if something that is more 'normal' looking is > going on I'll be able to catch it. > > If I find the culprit I'll absolutely update this thread. If anyone has any > other ideas, I'd love to hear them as well. > > -----Original Message----- > From: Angus McIntyre [mailto:[email protected]] > Sent: Monday, August 17, 2020 5:44 AM > To: [email protected]; Chas Hockenbarger <[email protected]> > Subject: Re: [qmailtoaster] Distressing strange behavior > > Check for a '.forward' file in '/root'? > > That could account for the status report going somewhere other than where > it's supposed to, but might not explain the other issues you're seeing. > > Angus > > > > Chas Hockenbarger wrote on 8/16/20 6:09 PM: >> I just got another piece of information. I got a failure message a >> few hours ago to the postmaster account for this domain that a message >> from root to root was not delivered to 5 different Gmail accounts. >> The email was the cron.daily status report. There is no way that >> should be going to these Gmail accounts. They are accounts I don’t >> know and root at this server is supposed to go to postmaster. >> >> This just keeps getting weirder. >> >> *From:* Eric Broch [mailto:[email protected]] >> *Sent:* Sunday, August 16, 2020 4:13 PM >> *To:* [email protected] >> *Subject:* Re: [qmailtoaster] Distressing strange behavior >> >> Yes forwards can be in a .qmail file or in the vpopmail database. >> >> So, the bounces occurring presently, what's the originating account? >> >> Is there anything in your queue (# qmailctl queue)? >> >> On 8/16/2020 2:46 PM, Charles Hockenbarger wrote: >> >> As I understand the forwards setup in qmailadmin those are in the >> database, right? >> >> The address that was compromised hasn't sent any email since the >> password change. >> >> I hadn't thought about looking at qmail-inject. I'll dig into >> watching that part of the process. >> >> Get TypeApp for Android <http://www.typeapp.com/r?b=15986> >> >> On Aug 16, 2020, at 3:14 PM, Eric Broch <[email protected] >> <mailto:[email protected]>> wrote: >> >> How do you have your forwards set up? >> >> Is there any mail in your queue? >> >> If someone hacked an account on your server with forwards to >> gmail accounts they aren't limited to just these forwards, they >> also have the option in the email client to add gmail accounts >> in the "To:" field of the email they're sending, thus bounces >> from gmail accounts that aren't in your forwards file. >> >> Also, qmail-inject puts mail in the queue and you'll see it in >> the send log. >> >> On 8/16/2020 10:05 AM, Chas Hockenbarger wrote: >> >> I'm hoping someone has encountered this weird behavior or >> something like it before and can point me down a path, >> because all my research has turned up nothing so far. >> >> I had an email account recently get breached due to a >> re-used password, and that account was used to send a bunch >> of spam out from a server I help manage. We changed the >> password on the account as soon as we found it happening and >> the outbound flood stopped. >> >> Shortly after that, however, I started seeing a very, very >> strange behavior. Sometimes, and I haven’t yet been able to >> identify the trigger or pattern, when users on this server >> send email to a forward that contains around 50 or so email >> addresses (they use it like a private distribution list) >> they will get anywhere from 1-10 bounces from Gmail. Not >> every email sent to the forward has this happen, and not >> even every email from a particular user. >> >> The outbound spamming caused the server’s reputation to go >> in the tank with Google, and if it weren’t for that, I >> wouldn’t know this was happening, because they get the >> bounces from Gmail accounts that absolutely ARE NOT in the >> forward or part of the email chain AT ALL. >> >> I’m kind of freaking out here because while I haven’t found >> a breach of the actual server / OS, this feels like someone >> has been able to inject something somewhere into my server >> that I simply can’t find. It is especially troubling >> because a user who is not on this domain, but is part of the >> group and therefore uses the forward from time to time, sent >> something to the forward today and got Gmail bounces. >> >> I don’t see anything in the send log that shows the server >> even trying to send to Gmail, which only adds to the ghost >> story. >> >> Any ideas, paths to go down, anything would be greatly >> appreciated here. I’m about to just rebuild the whole thing >> from scratch on a new VM, but if I’m overlooking something >> simple don’t want to put the users through that. >> >> Thanks in advance. >> >> Chas >> > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
