Home / server / Questions / 1092616
In Process
DanRan
Asked: 2022-02-04 14:36:14 +0800 CST

unknown domain "pl.d.sender-sib.com" and "gmail.com" under /var/vmail/ on ubuntu server 20.04 running postfix/dovecot/spamassassin/amavis

  • 772

I am running postfix/dovecot with spamassasin and amavis on Ubuntu server 20.04. I am also using this server as an LEMP Wordpress server. I have configured everything (email wise) according to Linuxbabe.com tutorials located at [https://www.linuxbabe.com/mail-server/setup-basic-postfix-mail-sever-ubuntu][1]

Recently, while navigating my directories from the terminal, in noticed the /var/vmail/ directory which contains all of my proper email domains i.e. example.com example2.com example3.com and example4.com.

However, there I have spotted an oddity and am wondering if someone got into or hacked my email system (highly unlikely) somehow. There is a domain (in the form of a folder name) in that directory called "pl.d.sender-sib.com" as well as a folder called "gmail.com".

ls -la /var/vmail/
drwxr-xr-x  9 vmail vmail 4096 Dec 29 09:03 .
drwxr-xr-x 16 root  root  4096 Dec  9 12:39 ..
drwx------  4 vmail vmail 4096 Jun 16  2021 mydomain1.com
drwx------  9 vmail vmail 4096 Sep 26 11:51 mydomain2.com
drwx------  3 vmail vmail 4096 Sep  9 17:17 gmail.com
drwx------  6 vmail vmail 4096 Dec 30 16:48 mydomain3.com
drwx------  7 vmail vmail 4096 Jan 21 18:41 mydomain4.com
drwx------  3 vmail vmail 4096 Dec 29 09:03 pl.d.sender-sib.com
drwx------  2 vmail vmail 4096 Feb  2 16:52 spamassassin

Inside the gmail.com directory is: /var/vmail/gmail.com/myemailaddressWithout"@gmail.com"/spamassassin/bayes_toks

and

/var/vmail/gmail.com/myemailaddressWithout"@gmail.com"/spamassassin/bayes_seen

Inside the pl.d.sender-sib.com directory is:

/var/vmail/pl.d.sender-sib.com/unsubscribe-t/spamassassin/bayes_seen

and

/var/vmail/pl.d.sender-sib.com/unsubscribe-t/spamassassin/bayes_toks

Could this be the work of an attacker and have I been hacked? Or are these directories that have been created by maybe spamassassin or amavis, wordpress emails, or some security program that I installed? How can I figure out where these directories came from, and is it safe or kosher or safe to delete these? Please let me know as soon as possible! I do not want to be working on a compromised server, even though I am certain my server is relatively secure. [1]: https://www.linuxbabe.com/mail-server/setup-basic-postfix-mail-sever-ubuntu

security

0 Answers

  1. The files bayes_toks, bayes_seen are created by SpamAssassin for each email user on your system. For some reason, your system is also passing through SpamAssassin some messages addressed to external domains like gmail.com or pl.d.sender-sib.com. You need to review your mail logs and your mail system configuration to check why this happens.

    • 1