date:20200817

RE: [qmailtoaster] Distressing strange behavior

2020-08-17 Thread Chas Hockenbarger

Thanks Eric, I'll make that change.

-Original Message-
From: Eric Broch [mailto:ebr...@whitehorsetc.com] 
Sent: Monday, August 17, 2020 9:21 AM
To: qmailtoaster-list@qmailtoaster.com
Subject: Re: [qmailtoaster] Distressing strange behavior

In your .qmail-default file for the domain it's recommended to use 'delete' 
instead of 'bounce-no-mailbox'


On 8/17/2020 8:14 AM, Chas Hockenbarger wrote:
> Thanks, Angus.  I searched the whole system for a .forward and there aren't 
> any on the system I can find.
>
> I'm not seeing anything that is obvious here.  I appreciate all the feedback 
> and help, there were definitely suggestions made I hadn't chased yet.  I'm 
> perplexed to say the least.  I deleted all the messages from the bounce queue 
> and will see if that rectifies the situation or not.  I'm watching this 
> system like a hawk so hopefully if something that is more 'normal' looking is 
> going on I'll be able to catch it.
>
> If I find the culprit I'll absolutely update this thread.  If anyone has any 
> other ideas, I'd love to hear them as well.
>
> -Original Message-
> From: Angus McIntyre [mailto:an...@pobox.com]
> Sent: Monday, August 17, 2020 5:44 AM
> To: qmailtoaster-list@qmailtoaster.com; Chas Hockenbarger 
> Subject: Re: [qmailtoaster] Distressing strange behavior
>
> Check for a '.forward' file in '/root'?
>
> That could account for the status report going somewhere other than where 
> it's supposed to, but might not explain the other issues you're seeing.
>
> Angus
>
>
>
> Chas Hockenbarger wrote on 8/16/20 6:09 PM:
>> I just got another piece of information.  I got a failure message a
>> few hours ago to the postmaster account for this domain that a message
>> from root to root was not delivered to 5 different Gmail accounts.
>> The email was the cron.daily status report.  There is no way that
>> should be going to these Gmail accounts.  They are accounts I don’t
>> know and root at this server is supposed to go to postmaster.
>>
>> This just keeps getting weirder.
>>
>> *From:* Eric Broch [mailto:ebr...@whitehorsetc.com]
>> *Sent:* Sunday, August 16, 2020 4:13 PM
>> *To:* qmailtoaster-list@qmailtoaster.com
>> *Subject:* Re: [qmailtoaster] Distressing strange behavior
>>
>> Yes forwards can be in a .qmail file or in the vpopmail database.
>>
>> So, the bounces occurring presently, what's the originating account?
>>
>> Is there anything in your queue (# qmailctl queue)?
>>
>> On 8/16/2020 2:46 PM, Charles Hockenbarger wrote:
>>
>>  As I understand the forwards setup in qmailadmin those are in the
>>  database, right?
>>
>>  The address that was compromised hasn't sent any email since the
>>  password change.
>>
>>  I hadn't thought about looking at qmail-inject. I'll dig into
>>  watching that part of the process.
>>
>>  Get TypeApp for Android 
>>
>>  On Aug 16, 2020, at 3:14 PM, Eric Broch >  > wrote:
>>
>>  How do you have your forwards set up?
>>
>>  Is there any mail in your queue?
>>
>>  If someone hacked an account on your server with forwards to
>>  gmail accounts they aren't limited to just these forwards, they
>>  also have the option in the email client to add gmail accounts
>>  in the "To:" field of the email they're sending, thus bounces
>>  from gmail accounts that aren't in your forwards file.
>>
>>  Also, qmail-inject puts mail in the queue and you'll see it in
>>  the send log.
>>
>>  On 8/16/2020 10:05 AM, Chas Hockenbarger wrote:
>>
>>  I'm hoping someone has encountered this weird behavior or
>>  something like it before and can point me down a path,
>>  because all my research has turned up nothing so far.
>>
>>  I had an email account recently get breached due to a
>>  re-used password, and that account was used to send a bunch
>>  of spam out from a server I help manage.  We changed the
>>  password on the account as soon as we found it happening and
>>  the outbound flood stopped.
>>
>>  Shortly after that, however, I started seeing a very, very
>>  strange behavior.  Sometimes, and I haven’t yet been able to
>>  identify the trigger or pattern, when users on this server
>>  send email to a forward that contains around 50 or so email
>>  addresses (they use it like a private distribution list)
>>  they will get anywhere from 1-10 bounces from Gmail.  Not
>>  every email sent to the forward has this happen, and not
>>  even every email from a particular user.
>>
>>  The outbound spamming caused the server’s reputation to go
>>  in the tank with Google, and if it weren’t for that, I
>>  wouldn’t know this was happening, because they get the
>>

Re: [qmailtoaster] ClamAV Upgrade

2020-08-17 Thread Eric Broch


Hi Jeff,

I believe that the qmt version of ClamAV is redundant like Spamassassin. 
Why should what already exists be maintained?


Anyway, here's a like to switch from qmt version to epel version:

https://www.qmailtoaster.org/qttoepelclam.html

Be mindful if you use ramdisk for simscan:

https://www.qmailtoaster.org/simscanramdisk.html

Eric

On 8/17/2020 8:26 AM, Jeff Koch wrote:

Hi List:

I see in our logs that

WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.101.1 Recommended version: 0.102.4

We're using QMT7. What's the recommended procedure for upgrading ClamAV

Thanks, Jeff

[qmailtoaster] ClamAV Upgrade

2020-08-17 Thread Jeff Koch


Hi List:

I see in our logs that

WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.101.1 Recommended version: 0.102.4

We're using QMT7. What's the recommended procedure for upgrading ClamAV

Thanks, Jeff

Re: [qmailtoaster] Distressing strange behavior

2020-08-17 Thread Eric Broch

In your .qmail-default file for the domain it's recommended to use 
'delete' instead of 'bounce-no-mailbox'



On 8/17/2020 8:14 AM, Chas Hockenbarger wrote:

Thanks, Angus.  I searched the whole system for a .forward and there aren't any 
on the system I can find.

I'm not seeing anything that is obvious here.  I appreciate all the feedback 
and help, there were definitely suggestions made I hadn't chased yet.  I'm 
perplexed to say the least.  I deleted all the messages from the bounce queue 
and will see if that rectifies the situation or not.  I'm watching this system 
like a hawk so hopefully if something that is more 'normal' looking is going on 
I'll be able to catch it.

If I find the culprit I'll absolutely update this thread.  If anyone has any 
other ideas, I'd love to hear them as well.

-Original Message-
From: Angus McIntyre [mailto:an...@pobox.com]
Sent: Monday, August 17, 2020 5:44 AM
To: qmailtoaster-list@qmailtoaster.com; Chas Hockenbarger 
Subject: Re: [qmailtoaster] Distressing strange behavior

Check for a '.forward' file in '/root'?

That could account for the status report going somewhere other than where it's 
supposed to, but might not explain the other issues you're seeing.

Angus



Chas Hockenbarger wrote on 8/16/20 6:09 PM:

I just got another piece of information.  I got a failure message a
few hours ago to the postmaster account for this domain that a message
from root to root was not delivered to 5 different Gmail accounts.
The email was the cron.daily status report.  There is no way that
should be going to these Gmail accounts.  They are accounts I don’t
know and root at this server is supposed to go to postmaster.

This just keeps getting weirder.

*From:* Eric Broch [mailto:ebr...@whitehorsetc.com]
*Sent:* Sunday, August 16, 2020 4:13 PM
*To:* qmailtoaster-list@qmailtoaster.com
*Subject:* Re: [qmailtoaster] Distressing strange behavior

Yes forwards can be in a .qmail file or in the vpopmail database.

So, the bounces occurring presently, what's the originating account?

Is there anything in your queue (# qmailctl queue)?

On 8/16/2020 2:46 PM, Charles Hockenbarger wrote:

 As I understand the forwards setup in qmailadmin those are in the
 database, right?

 The address that was compromised hasn't sent any email since the
 password change.

 I hadn't thought about looking at qmail-inject. I'll dig into
 watching that part of the process.

 Get TypeApp for Android 

 On Aug 16, 2020, at 3:14 PM, Eric Broch mailto:ebr...@whitehorsetc.com>> wrote:

 How do you have your forwards set up?

 Is there any mail in your queue?

 If someone hacked an account on your server with forwards to
 gmail accounts they aren't limited to just these forwards, they
 also have the option in the email client to add gmail accounts
 in the "To:" field of the email they're sending, thus bounces
 from gmail accounts that aren't in your forwards file.

 Also, qmail-inject puts mail in the queue and you'll see it in
 the send log.

 On 8/16/2020 10:05 AM, Chas Hockenbarger wrote:

 I'm hoping someone has encountered this weird behavior or
 something like it before and can point me down a path,
 because all my research has turned up nothing so far.

 I had an email account recently get breached due to a
 re-used password, and that account was used to send a bunch
 of spam out from a server I help manage.  We changed the
 password on the account as soon as we found it happening and
 the outbound flood stopped.

 Shortly after that, however, I started seeing a very, very
 strange behavior.  Sometimes, and I haven’t yet been able to
 identify the trigger or pattern, when users on this server
 send email to a forward that contains around 50 or so email
 addresses (they use it like a private distribution list)
 they will get anywhere from 1-10 bounces from Gmail.  Not
 every email sent to the forward has this happen, and not
 even every email from a particular user.

 The outbound spamming caused the server’s reputation to go
 in the tank with Google, and if it weren’t for that, I
 wouldn’t know this was happening, because they get the
 bounces from Gmail accounts that absolutely ARE NOT in the
 forward or part of the email chain AT ALL.

 I’m kind of freaking out here because while I haven’t found
 a breach of the actual server / OS, this feels like someone
 has been able to inject something somewhere into my server
 that I simply can’t find.  It is especially troubling
 because a user who is not on this domain, but is part of the

RE: [qmailtoaster] Distressing strange behavior

2020-08-17 Thread Chas Hockenbarger

Thanks, Angus.  I searched the whole system for a .forward and there aren't any 
on the system I can find.

I'm not seeing anything that is obvious here.  I appreciate all the feedback 
and help, there were definitely suggestions made I hadn't chased yet.  I'm 
perplexed to say the least.  I deleted all the messages from the bounce queue 
and will see if that rectifies the situation or not.  I'm watching this system 
like a hawk so hopefully if something that is more 'normal' looking is going on 
I'll be able to catch it.

If I find the culprit I'll absolutely update this thread.  If anyone has any 
other ideas, I'd love to hear them as well.

-Original Message-
From: Angus McIntyre [mailto:an...@pobox.com] 
Sent: Monday, August 17, 2020 5:44 AM
To: qmailtoaster-list@qmailtoaster.com; Chas Hockenbarger 
Subject: Re: [qmailtoaster] Distressing strange behavior

Check for a '.forward' file in '/root'?

That could account for the status report going somewhere other than where it's 
supposed to, but might not explain the other issues you're seeing.

Angus



Chas Hockenbarger wrote on 8/16/20 6:09 PM:
> I just got another piece of information.  I got a failure message a 
> few hours ago to the postmaster account for this domain that a message 
> from root to root was not delivered to 5 different Gmail accounts.  
> The email was the cron.daily status report.  There is no way that 
> should be going to these Gmail accounts.  They are accounts I don’t 
> know and root at this server is supposed to go to postmaster.
> 
> This just keeps getting weirder.
> 
> *From:* Eric Broch [mailto:ebr...@whitehorsetc.com]
> *Sent:* Sunday, August 16, 2020 4:13 PM
> *To:* qmailtoaster-list@qmailtoaster.com
> *Subject:* Re: [qmailtoaster] Distressing strange behavior
> 
> Yes forwards can be in a .qmail file or in the vpopmail database.
> 
> So, the bounces occurring presently, what's the originating account?
> 
> Is there anything in your queue (# qmailctl queue)?
> 
> On 8/16/2020 2:46 PM, Charles Hockenbarger wrote:
> 
> As I understand the forwards setup in qmailadmin those are in the
> database, right?
> 
> The address that was compromised hasn't sent any email since the
> password change.
> 
> I hadn't thought about looking at qmail-inject. I'll dig into
> watching that part of the process.
> 
> Get TypeApp for Android 
> 
> On Aug 16, 2020, at 3:14 PM, Eric Broch  > wrote:
> 
> How do you have your forwards set up?
> 
> Is there any mail in your queue?
> 
> If someone hacked an account on your server with forwards to
> gmail accounts they aren't limited to just these forwards, they
> also have the option in the email client to add gmail accounts
> in the "To:" field of the email they're sending, thus bounces
> from gmail accounts that aren't in your forwards file.
> 
> Also, qmail-inject puts mail in the queue and you'll see it in
> the send log.
> 
> On 8/16/2020 10:05 AM, Chas Hockenbarger wrote:
> 
> I'm hoping someone has encountered this weird behavior or
> something like it before and can point me down a path,
> because all my research has turned up nothing so far.
> 
> I had an email account recently get breached due to a
> re-used password, and that account was used to send a bunch
> of spam out from a server I help manage.  We changed the
> password on the account as soon as we found it happening and
> the outbound flood stopped.
> 
> Shortly after that, however, I started seeing a very, very
> strange behavior.  Sometimes, and I haven’t yet been able to
> identify the trigger or pattern, when users on this server
> send email to a forward that contains around 50 or so email
> addresses (they use it like a private distribution list)
> they will get anywhere from 1-10 bounces from Gmail.  Not
> every email sent to the forward has this happen, and not
> even every email from a particular user.
> 
> The outbound spamming caused the server’s reputation to go
> in the tank with Google, and if it weren’t for that, I
> wouldn’t know this was happening, because they get the
> bounces from Gmail accounts that absolutely ARE NOT in the
> forward or part of the email chain AT ALL.
> 
> I’m kind of freaking out here because while I haven’t found
> a breach of the actual server / OS, this feels like someone
> has been able to inject something somewhere into my server
> that I simply can’t find.  It is especially troubling
> because a user who is not on this domain, but is part of the
> group and therefore uses the

Re: [qmailtoaster] Distressing strange behavior

2020-08-17 Thread Angus McIntyre


Check for a '.forward' file in '/root'?

That could account for the status report going somewhere other than 
where it's supposed to, but might not explain the other issues you're 
seeing.


Angus



Chas Hockenbarger wrote on 8/16/20 6:09 PM:
I just got another piece of information.  I got a failure message a few 
hours ago to the postmaster account for this domain that a message from 
root to root was not delivered to 5 different Gmail accounts.  The email 
was the cron.daily status report.  There is no way that should be going 
to these Gmail accounts.  They are accounts I don’t know and root at 
this server is supposed to go to postmaster.


This just keeps getting weirder.

*From:* Eric Broch [mailto:ebr...@whitehorsetc.com]
*Sent:* Sunday, August 16, 2020 4:13 PM
*To:* qmailtoaster-list@qmailtoaster.com
*Subject:* Re: [qmailtoaster] Distressing strange behavior

Yes forwards can be in a .qmail file or in the vpopmail database.

So, the bounces occurring presently, what's the originating account?

Is there anything in your queue (# qmailctl queue)?

On 8/16/2020 2:46 PM, Charles Hockenbarger wrote:

As I understand the forwards setup in qmailadmin those are in the
database, right?

The address that was compromised hasn't sent any email since the
password change.

I hadn't thought about looking at qmail-inject. I'll dig into
watching that part of the process.

Get TypeApp for Android 

On Aug 16, 2020, at 3:14 PM, Eric Broch mailto:ebr...@whitehorsetc.com>> wrote:

How do you have your forwards set up?

Is there any mail in your queue?

If someone hacked an account on your server with forwards to
gmail accounts they aren't limited to just these forwards, they
also have the option in the email client to add gmail accounts
in the "To:" field of the email they're sending, thus bounces
from gmail accounts that aren't in your forwards file.

Also, qmail-inject puts mail in the queue and you'll see it in
the send log.

On 8/16/2020 10:05 AM, Chas Hockenbarger wrote:

I'm hoping someone has encountered this weird behavior or
something like it before and can point me down a path,
because all my research has turned up nothing so far.

I had an email account recently get breached due to a
re-used password, and that account was used to send a bunch
of spam out from a server I help manage.  We changed the
password on the account as soon as we found it happening and
the outbound flood stopped.

Shortly after that, however, I started seeing a very, very
strange behavior.  Sometimes, and I haven’t yet been able to
identify the trigger or pattern, when users on this server
send email to a forward that contains around 50 or so email
addresses (they use it like a private distribution list)
they will get anywhere from 1-10 bounces from Gmail.  Not
every email sent to the forward has this happen, and not
even every email from a particular user.

The outbound spamming caused the server’s reputation to go
in the tank with Google, and if it weren’t for that, I
wouldn’t know this was happening, because they get the
bounces from Gmail accounts that absolutely ARE NOT in the
forward or part of the email chain AT ALL.

I’m kind of freaking out here because while I haven’t found
a breach of the actual server / OS, this feels like someone
has been able to inject something somewhere into my server
that I simply can’t find.  It is especially troubling
because a user who is not on this domain, but is part of the
group and therefore uses the forward from time to time, sent
something to the forward today and got Gmail bounces.

I don’t see anything in the send log that shows the server
even trying to send to Gmail, which only adds to the ghost
story.

Any ideas, paths to go down, anything would be greatly
appreciated here.  I’m about to just rebuild the whole thing
from scratch on a new VM, but if I’m overlooking something
simple don’t want to put the users through that.

Thanks in advance.

Chas



-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

RE: [qmailtoaster] Distressing strange behavior

Re: [qmailtoaster] ClamAV Upgrade

[qmailtoaster] ClamAV Upgrade

Re: [qmailtoaster] Distressing strange behavior

RE: [qmailtoaster] Distressing strange behavior

Re: [qmailtoaster] Distressing strange behavior

6 matches

Site Navigation

Mail list logo

Footer information