Thanks, Angus. I searched the whole system for a .forward and there aren't any on the system I can find.
I'm not seeing anything that is obvious here. I appreciate all the feedback and help, there were definitely suggestions made I hadn't chased yet. I'm perplexed to say the least. I deleted all the messages from the bounce queue and will see if that rectifies the situation or not. I'm watching this system like a hawk so hopefully if something that is more 'normal' looking is going on I'll be able to catch it. If I find the culprit I'll absolutely update this thread. If anyone has any other ideas, I'd love to hear them as well. -----Original Message----- From: Angus McIntyre [mailto:an...@pobox.com] Sent: Monday, August 17, 2020 5:44 AM To: qmailtoaster-list@qmailtoaster.com; Chas Hockenbarger <chash...@gmail.com> Subject: Re: [qmailtoaster] Distressing strange behavior Check for a '.forward' file in '/root'? That could account for the status report going somewhere other than where it's supposed to, but might not explain the other issues you're seeing. Angus Chas Hockenbarger wrote on 8/16/20 6:09 PM: > I just got another piece of information. I got a failure message a > few hours ago to the postmaster account for this domain that a message > from root to root was not delivered to 5 different Gmail accounts. > The email was the cron.daily status report. There is no way that > should be going to these Gmail accounts. They are accounts I don’t > know and root at this server is supposed to go to postmaster. > > This just keeps getting weirder. > > *From:* Eric Broch [mailto:ebr...@whitehorsetc.com] > *Sent:* Sunday, August 16, 2020 4:13 PM > *To:* qmailtoaster-list@qmailtoaster.com > *Subject:* Re: [qmailtoaster] Distressing strange behavior > > Yes forwards can be in a .qmail file or in the vpopmail database. > > So, the bounces occurring presently, what's the originating account? > > Is there anything in your queue (# qmailctl queue)? > > On 8/16/2020 2:46 PM, Charles Hockenbarger wrote: > > As I understand the forwards setup in qmailadmin those are in the > database, right? > > The address that was compromised hasn't sent any email since the > password change. > > I hadn't thought about looking at qmail-inject. I'll dig into > watching that part of the process. > > Get TypeApp for Android <http://www.typeapp.com/r?b=15986> > > On Aug 16, 2020, at 3:14 PM, Eric Broch <ebr...@whitehorsetc.com > <mailto:ebr...@whitehorsetc.com>> wrote: > > How do you have your forwards set up? > > Is there any mail in your queue? > > If someone hacked an account on your server with forwards to > gmail accounts they aren't limited to just these forwards, they > also have the option in the email client to add gmail accounts > in the "To:" field of the email they're sending, thus bounces > from gmail accounts that aren't in your forwards file. > > Also, qmail-inject puts mail in the queue and you'll see it in > the send log. > > On 8/16/2020 10:05 AM, Chas Hockenbarger wrote: > > I'm hoping someone has encountered this weird behavior or > something like it before and can point me down a path, > because all my research has turned up nothing so far. > > I had an email account recently get breached due to a > re-used password, and that account was used to send a bunch > of spam out from a server I help manage. We changed the > password on the account as soon as we found it happening and > the outbound flood stopped. > > Shortly after that, however, I started seeing a very, very > strange behavior. Sometimes, and I haven’t yet been able to > identify the trigger or pattern, when users on this server > send email to a forward that contains around 50 or so email > addresses (they use it like a private distribution list) > they will get anywhere from 1-10 bounces from Gmail. Not > every email sent to the forward has this happen, and not > even every email from a particular user. > > The outbound spamming caused the server’s reputation to go > in the tank with Google, and if it weren’t for that, I > wouldn’t know this was happening, because they get the > bounces from Gmail accounts that absolutely ARE NOT in the > forward or part of the email chain AT ALL. > > I’m kind of freaking out here because while I haven’t found > a breach of the actual server / OS, this feels like someone > has been able to inject something somewhere into my server > that I simply can’t find. It is especially troubling > because a user who is not on this domain, but is part of the > group and therefore uses the forward from time to time, sent > something to the forward today and got Gmail bounces. > > I don’t see anything in the send log that shows the server > even trying to send to Gmail, which only adds to the ghost > story. > > Any ideas, paths to go down, anything would be greatly > appreciated here. I’m about to just rebuild the whole thing > from scratch on a new VM, but if I’m overlooking something > simple don’t want to put the users through that. > > Thanks in advance. > > Chas > --------------------------------------------------------------------- To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com --------------------------------------------------------------------- To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com