Qmail Bounces

[StvnT]

I'm having a hard time with some system bounces. Any help is deeply appreciated.

An email account was recently compromised and was sending spam in bulk. We found the issue and account after a few hours and got it resolved. The queue (80,000+) has been cleared and things seem to be back to normal. However, the Plesk administrator email (lets call it [email protected]) is getting strange bounces from unrelated emails for legitimate email. For example, in the bounce message below, a conversation between [email protected] and [email protected] invokes a bounce from [email protected] who is not a part of the conversation at all and is not refereced in as a recipient in the original message at all. The message delivers to the recipeint without issue but the sender is getting this bounce back... The sample below is a actual bounce, I've just anonymized the email addresses.

It seems like qmail (?) is mixing bounce messages with legitimate email but that doesn't make sense. Is there anyone who can help shed some light on what's going on here?

From: [email protected]
Date: October 31, 2013 9:33:11 AM PDT
To: [email protected]
Subject: failure notice
received: (qmail 5582 invoked for bounce); 31 Oct 2013 11:33:11 -0500

Hi. This is the qmail-send program at domain.com.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<[email protected]>:
65.54.188.72 does not like recipient.
Remote host said: 550 Requested action not taken: mailbox unavailable
Giving up on 65.54.188.72.

--- Below this line is a copy of the message.

Return-Path: <[email protected]>
Received: (qmail 5576 invoked from network); 31 Oct 2013 11:33:10 -0500
Received: from legitimate-sender
by 192.168.100.240 with SMTP; 31 Oct 2013 11:33:10 -0500
From: "Legitimate Sender" <[email protected]>
Content-Type: multipart/mixed; boundary=Apple-Mail-24--944421204
Subject: Subject
Date: Thu, 31 Oct 2013 09:33:08 -0700
Message-Id: <[email protected]>
To: Recipient <[email protected]>
Mime-Version: 1.0 (Apple Message framework v1085)
X-Mailer: Apple Mail (2.1085)

Legitimate message.

 

[StvnT]

Anyone?

It looks like the issue isn't limited to just the Plesk administrator email. All emails on the server are susceptible to randomly getting a bounce back with bogus bounce information.

 

[BobB74]

Hello. The EXACT same thing happened to us recently. One email account was compromised and sending out bulk messages. We quickly caught it, fixed it, and cleared the queue. A few days later we got some of these bogus bounce messages on legitimate emails being sent out from the server.

Did you ever figure this one out? Or did the bogus bounces just go away after a while?

My biggest concern, obviously, is that these bounce messages aren't actually bogus after-all and that copies of legitimate email messages are actually being sent out to other email addresses.

 

[BobB74]

Found a few other threads referencing the same problem:

http://forum.parallels.com/showthre...ot-from-an-email-address-they-did-not-send-to
http://forum.parallels.com/pda/index.php/t-79505.html
http://forum.parallels.com/showthread.php?59079-Multiple-Email
http://forum.parallels.com/showthre...nced-mails-from-recipients-they-never-sent-to

The problem seems to have stopped (no reports lately), and server looks fine and uncompromised, so I'm chalking it up to temporary queue confusion from when I cleared out the queue before.