qmail message from random from email address and being sent..

[JustinGivens]

Hey guys,

Has anyone see anything like this in their qmail message logs?

Mar 28 13:37:44 domaintld qmail-queue-handlers[23715]: Handlers Filter before-queue for qmail started ...
Mar 28 13:37:44 domaintld qmail-queue-handlers[23715]: [email protected]
Mar 28 13:37:44 domaintld qmail-queue-handlers[23715]: [email protected]
Mar 28 13:37:44 domaintld qmail-queue-handlers[23715]: handlers_stderr: SKIP
Mar 28 13:37:44 domaintld qmail-queue-handlers[23715]: SKIP during call 'check-quota' handler
Mar 28 13:37:44 domaintld spf filter[23717]: Starting spf filter... 
Mar 28 13:37:44 domaintld qmail-queue-handlers[23715]: handlers_stderr: SKIP
Mar 28 13:37:44 domaintld qmail-queue-handlers[23715]: SKIP during call 'spf' handler
Mar 28 13:37:44 domaintld qmail-queue-handlers[23715]: starter: submitter[23718] exited normally
Mar 28 13:37:44 domaintld qmail: 1364495864.739788 new msg 14736184
Mar 28 13:37:44 domaintld qmail: 1364495864.739834 info msg 14736184: bytes 6883 from <[email protected]> qp 23718 uid 0
Mar 28 13:37:44 domaintld qmail: 1364495864.742927 starting delivery 17890: msg 14736184 to remote [email protected]
Mar 28 13:37:44 domaintld qmail: 1364495864.742980 status: local 0/10 remote 1/20
Mar 28 13:37:44 domaintld qmail-remote-handlers[23719]: Handlers Filter before-remote for qmail started ...
Mar 28 13:37:44 domaintld qmail-remote-handlers[23719]: [email protected]
Mar 28 13:37:44 domaintld qmail-remote-handlers[23719]: [email protected]
Mar 28 13:37:44 domaintld dk_sign[23720]: Auth_ID: [domaintld.com] Signed: [Yes] Header List: [Yes] 
Mar 28 13:37:44 domaintld qmail-remote-handlers[23719]: handlers_stderr: PASS
Mar 28 13:37:44 domaintld qmail-remote-handlers[23719]: PASS during call 'dd51-domainkeys' handler
Mar 28 13:37:45 domaintld qmail: 1364495865.220911 delivery 17890: success: 173.194.76.27_accepted_message./Remote_host_said:_250_2.0.0_OK_1364495865_jv12si18688899qeb.8_-_gsmtp/
Mar 28 13:37:45 domaintld qmail: 1364495865.221027 status: local 0/10 remote 0/20
Mar 28 13:37:45 domaintld qmail: 1364495865.221087 end msg 14736184

I've tried looking in the /var/qmail/queue folder for the message ID and can't find anything. I've even done a netstat -an looking for the connecting to the SMTP port but nothing odd either.

Plesk configured to require full email address and password to send email. Also the [email protected] doesn't exist on the server.

Any suggestion on how to track down this random email being sent?

 

[DaveW4]

I get bouncebacks to this address "[email protected]" from drweb.

 

[JustinGivens]

This isn't a bounceback. This is something is trying to send to [email protected] throughout the day.

 

[JustinGivens]

Anyone have another suggestion? I've searched the entire system for code '[email protected]' and nothing is returned.

 

[sbrissen]

I had fixed this at one point and now its back. For me it turned out to be a hacked /bin/ssh file that was the culprit, I replaced it with a good one and everything was good for awhile. Now I have the problem again and its a different file that I have yet to find.

 

[JustinGivens]

Hey Sbrissen,

Is it going to the same email address?

 

[sbrissen]

Hey Sbrissen,

Is it going to the same email address?

yup exact same one

 

[JustinGivens]

I ran this command to find the files.

find / -xdev -type f -print0 | xargs -0 grep -H "testrambo2"

 

[sbrissen]

I ran this command to find the files.

find / -xdev -type f -print0 | xargs -0 grep -H "testrambo2"

I'll give it a shot, I was running:

find ./ -type f -print0 | xargs -0 grep -i "testrambo2"

 

[JustinGivens]

I would also recommend looking at your /var/log/secure and seeing if anything else (different IP) connected through SSH.