0

I am running postfix/dovecot with spamassasin and amavis on Ubuntu server 20.04. I am also using this server as an LEMP Wordpress server. I have configured everything (email wise) according to Linuxbabe.com tutorials located at [https://www.linuxbabe.com/mail-server/setup-basic-postfix-mail-sever-ubuntu][1]

Recently, while navigating my directories from the terminal, in noticed the /var/vmail/ directory which contains all of my proper email domains i.e. example.com example2.com example3.com and example4.com.

However, there I have spotted an oddity and am wondering if someone got into or hacked my email system (highly unlikely) somehow. There is a domain (in the form of a folder name) in that directory called "pl.d.sender-sib.com" as well as a folder called "gmail.com".

ls -la /var/vmail/
drwxr-xr-x  9 vmail vmail 4096 Dec 29 09:03 .
drwxr-xr-x 16 root  root  4096 Dec  9 12:39 ..
drwx------  4 vmail vmail 4096 Jun 16  2021 mydomain1.com
drwx------  9 vmail vmail 4096 Sep 26 11:51 mydomain2.com
drwx------  3 vmail vmail 4096 Sep  9 17:17 gmail.com
drwx------  6 vmail vmail 4096 Dec 30 16:48 mydomain3.com
drwx------  7 vmail vmail 4096 Jan 21 18:41 mydomain4.com
drwx------  3 vmail vmail 4096 Dec 29 09:03 pl.d.sender-sib.com
drwx------  2 vmail vmail 4096 Feb  2 16:52 spamassassin

Inside the gmail.com directory is: /var/vmail/gmail.com/myemailaddressWithout"@gmail.com"/spamassassin/bayes_toks

and

/var/vmail/gmail.com/myemailaddressWithout"@gmail.com"/spamassassin/bayes_seen

Inside the pl.d.sender-sib.com directory is:

/var/vmail/pl.d.sender-sib.com/unsubscribe-t/spamassassin/bayes_seen

and

/var/vmail/pl.d.sender-sib.com/unsubscribe-t/spamassassin/bayes_toks

Could this be the work of an attacker and have I been hacked? Or are these directories that have been created by maybe spamassassin or amavis, wordpress emails, or some security program that I installed? How can I figure out where these directories came from, and is it safe or kosher or safe to delete these? Please let me know as soon as possible! I do not want to be working on a compromised server, even though I am certain my server is relatively secure. [1]: https://www.linuxbabe.com/mail-server/setup-basic-postfix-mail-sever-ubuntu

DanRan
  • 73
  • 1
  • 3
  • 22

2 Answers2

1

The files bayes_toks, bayes_seen are created by SpamAssassin for each email user on your system. For some reason, your system is also passing through SpamAssassin some messages addressed to external domains like gmail.com or pl.d.sender-sib.com. You need to review your mail logs and your mail system configuration to check why this happens.

AlexD
  • 8,747
  • 2
  • 29
  • 38
  • Thank you for your answer! So to be clear, would the directories "gmail.com" and "pl.d.sender-sib.com" be autocreated by spamassassin due to the fact that they are passing through messages addressed to external domains? Secondly, when you say "Passing through", are you saying that spamassassin is checking for spam on outgoing messages addressed to those domains? Because as far as I can tell, I have never sent messages to those domains. I will check the logs and get back to you with more info in my answer. Hopefully you can help in the meantime with the above clarifications @AlexD. Thank amigo! – DanRan Feb 04 '22 at 07:02
1

I know that i am 1 year late but as i write this , i am testing sendinblue transactional email API service and that domain sender-sib.com makes an appearance in the email headers. Below is a snippet of my headers

ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@xxxxxxxxx header.s=mail header.b=RfTsdBxT;
       spf=pass (google.com: domain of bounces-207962554-admin=xxxxxxxxx@gx.d.sender-sib.com designates 77.32.148.24 as permitted sender) smtp.mailfrom="bounces-207962554-admin=mydomain@gx.d.sender-sib.com"
Return-Path: <bounces-207962554-admin=xxxxxxxxxxxxx@gx.d.sender-sib.com>
Received: from gx.d.sender-sib.com (gx.d.sender-sib.com. [77.32.148.24])
        by mx.google.com with ESMTPS id f5-20020a7bcc05000000b003f047856994si1756081wmh.199.2023.04.19.11.04.03
        for <xxxxxxxxxx@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 19 Apr 2023 11:04:03 -0700 (PDT)
Received-SPF: pass (google.com: domain of bounces-207962554-admin=xxxxxxxxx@gx.d.sender-sib.com designates 77.32.148.24 as permitted sender) client-ip=77.32.148.24;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@xxxxxxxxx header.s=mail header.b=RfTsdBxT;
       spf=pass (google.com: domain of bounces-207962554-admin=xxxxxxxxx@gx.d.sender-sib.com designates 77.32.148.24 as permitted sender) smtp.mailfrom="bounces-207962554-admin=xxxxxxxxx@gx.d.sender-sib.com"

Based on that , i conclude that sender-sib.com is property of sendinblue therefore you can rest easy seeing that domain.

  • This does not provide an answer to the question. Once you have sufficient [reputation](https://serverfault.com/help/whats-reputation) you will be able to [comment on any post](https://serverfault.com/help/privileges/comment); instead, [provide answers that don't require clarification from the asker](https://meta.stackexchange.com/questions/214173/why-do-i-need-50-reputation-to-comment-what-can-i-do-instead). - [From Review](/review/late-answers/549252) – aseques Apr 21 '23 at 11:54