Hello all, long-time listener, first-time caller ...
I returned from an Eclipse trip to find a couple of sp*m e-mails in an account. I checked the logs and there was no Postfix activity during the delivery times. The 2 spams have basically no headers in them.
I went back to the logs and instead found Dovecot IMAP server activity during those times. Apparently Russian hax0rs (hostnames stat_list.ip-ptr.tech and service_stat.ip-ptr.tech) compromised an account and logged into it via IMAP, and somehow were able to create these two sp*m e-mails on my system.
Obviously I've changed the account password but I would really like to know how they were able to create e-mails on my system when ostensibly I would have assumed they could only read the account's e-mails via IMAP.
If it matters it's an older version of Dovecot on Fedora with a fairly heavily customized set of .conf files. I ran "doveconf -a" but didn't see anything obvious in the output. I may enable rawlogs in case they come knocking again, even though the password has been changed.
Thanks.