Re: Dovecot somehow creating new local e-mails from a compromised account

google IMAP APPEND

On Thursday, 11/04/2024 at 13:32 Greg Earle via dovecot wrote:

Hello all, long-time listener, first-time caller ...

I returned from an Eclipse trip to find a couple of sp*m e-mails in an

account.  I checked the logs and there was no Postfix activity during the delivery times.  The 2 spams have basically no headers in them.

I went back to the logs and instead found Dovecot IMAP server activity

during those times.  Apparently Russian hax0rs (hostnames stat_list.ip-ptr.tech and service_stat.ip-ptr.tech) compromised an account and logged into it via IMAP, and somehow were able to create these two sp*m e-mails on my system.

Obviously I've changed the account password but I would really like to

know how they were able to create e-mails on my system when ostensibly I would have assumed they could only read the account's e-mails via IMAP.

If it matters it's an older version of Dovecot on Fedora with a fairly

heavily customized set of .conf files.  I ran "doveconf -a" but didn't see anything obvious in the output.  I may enable rawlogs in case they come knocking again, even though the password has been changed.

Thanks.

dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org

google IMAP APPEND

On Thursday, 11/04/2024 at 13:32 Greg Earle via dovecot wrote: Hello all, long-time listener, first-time caller ...

 I returned from an Eclipse trip to find a couple of sp*m e-mails in
 an
 account.  I checked the logs and there was no Postfix activity during

 the delivery times.  The 2 spams have basically no headers in them.

 I went back to the logs and instead found Dovecot IMAP server
 activity
 during those times.  Apparently Russian hax0rs (hostnames
 stat_list.ip-ptr.tech and service_stat.ip-ptr.tech) compromised an
 account and logged into it via IMAP, and somehow were able to create
 these two sp*m e-mails on my system.

 Obviously I've changed the account password but I would really like
 to
 know how they were able to create e-mails on my system when
 ostensibly I
 would have assumed they could only read the account's e-mails via
 IMAP.

 If it matters it's an older version of Dovecot on Fedora with a
 fairly
 heavily customized set of .conf files.  I ran "doveconf -a" but
 didn't
 see anything obvious in the output.  I may enable rawlogs in case
 they
 come knocking again, even though the password has been changed.

 Thanks.
 _______________________________________________
 dovecot mailing list -- dovecot@dovecot.org
 To unsubscribe send an email to dovecot-leave@dovecot.org