Potential Bug After Restoring Backup – Mail-in-a-Box Used for Sending Spam

ahmadkoudier · April 1, 2025, 6:36pm

Hello everyone,
I hope you’re all doing well.

I’m writing this post to report a potential issue I encountered while using Mail-in-a-Box.

I decided to create a new virtual machine using KVM on my server to separate the Mail-in-a-Box installation from the host system. After setting up everything and installing Mail-in-a-Box on the VM, I copied the backup files from my previous setup to restore around 2000 user accounts.

I used the following command to restore the backup:

sudo -E duplicity restore --force file:///home/backup/encrypted /home/user-data/

At first, everything seemed to work perfectly. However, after a few hours, I noticed a significant performance drop. Upon investigating, I discovered that something strange was happening—my VM was being used to send out spam emails.

The /var/log/mail.log file grew to over 6 GB in less than 12 hours, which clearly wasn’t normal.

When I ran:
postqueue -p

I was shocked to see an endless mail queue filled with outgoing spam messages. The system continues to send spam without stopping.

This behavior began only after restoring the backup. It makes me suspect that either:

Something malicious got into the backup (e.g., via a compromised user account or script), or
The restoration process exposed a vulnerability or misconfiguration.

I’m sharing this in case others have experienced the same issue. If anyone has insights or suggestions, please let me know.

Here’s a snippet from postqueue -p output:

45A848F4F7     2893 Tue Apr 1 18:59:02 MAILER-DAEMON
(host outlook-com.olc.protection.outlook.com[REDACTED] said: 451 4.7.651 The mail server [REDACTED] has been temporarily rate limited due to IP reputation. For e-mail delivery information, see https://postmaster.live.com (S3114) [Name=Protocol Filter Agent][AGT=PFA][MxId=11BADFAC61B2E32F] [DB5PEPF00014B89.eurprd02.prod.outlook.com 2025-04-01T17:35:39.755Z 08DD6FD6335FF6D9] (in reply to MAIL FROM command))
                                                                       n-roman@outlook.com
(host msn-com.olc.protection.outlook.com[REDACTED] said: 451 4.7.651 The mail server [REDACTED] has been temporarily rate limited due to IP reputation. For e-mail delivery information, see https://postmaster.live.com (S3114) [Name=Protocol Filter Agent][AGT=PFA][MxId=11BADF9F521F500A] [BL6PEPF00020E60.namprd04.prod.outlook.com 2025-04-01T17:36:52.390Z 08DD6FCFAB0EA34B] (in reply to MAIL FROM command))
                                                                       nromeromartinez@msn.com
(host hotmail-com.olc.protection.outlook.com[REDACTED] said: 451 4.7.651 The mail server [REDACTED] has been temporarily rate limited due to IP reputation. For e-mail delivery information, see https://postmaster.live.com (S3114) [Name=Protocol Filter Agent][AGT=PFA][MxId=11BADFD34A81B0B2] [BL6PEPF00022573.namprd02.prod.outlook.com 2025-04-01T17:45:13.456Z 08DD6FE9A70AB87E] (in reply to MAIL FROM command))
                                                                       nromens@hotmail.com
                                                                       nromer70@hotmail.com
                                                                       nromero@hotmail.com

4C60C8EC88   2893 Tue Apr 1 18:47:26 MAILER-DAEMON
(host live-com.olc.protection.outlook.com[REDACTED] said: 451 4.7.651 The mail server [REDACTED] has been temporarily rate limited due to IP reputation. For e-mail delivery information, see https://postmaster.live.com (S3114) [Name=Protocol Filter Agent][AGT=PFA][MxId=11BADFABB8C97ECC] [SA2PEPF00003F67.namprd04.prod.outlook.com 2025-04-01T17:38:33.830Z 08DD6FD5DE4B550B] (in reply to MAIL FROM command))
                                                                       nicholepete@live.com
(host hotmail-com.olc.protection.outlook.com[REDACTED] said: 451 4.7.651 The mail server [REDACTED] has been temporarily rate limited due to IP reputation. For e-mail delivery information, see https://postmaster.live.com (S3114) [Name=Protocol Filter Agent][AGT=PFA][MxId=11BADFF5D1D73EE9] [SN1PEPF000252A1.namprd05.prod.outlook.com 2025-04-01T17:51:27.413Z 08DD6FFAEAA1A465] (in reply to MAIL FROM command))
                                                                       nicholeofobbsjo0210@hotmail.com
                                                                       nicholeopunui@hotmail.com
                                                                       nicholepatricefletcher@hotmail.com
                                                                       nicholepettway@hotmail.com.

425158EF6D   2893 Tue Apr 1 18:48:29 MAILER-DAEMON
(host hotmail-com.olc.protection.outlook.com[REDACTED] said: 451 4.7.651 The mail server [REDACTED] has been temporarily rate limited due to IP reputation. For e-mail delivery information, see https://postmaster.live.com (S3114) [Name=Protocol Filter Agent][AGT=PFA][MxId=11BADFF27AF0197B] [DS3PEPF0000C37D.namprd04.prod.outlook.com 2025-04-01T17:51:27.163Z 08DD6FF93F35B7BA] (in reply to MAIL FROM command))
                                                                       nicky_evi@hotmail.com
                                                            <0xC2><0xA0

take a look on this!

root@box:/home/vbz# ps aux | grep sendmail
root       11918  0.0  0.0   7016  2060 pts/0    S+   20:50   0:00 grep --color=auto sendmail
root@box:/home/vbz# ps aux | grep sendmail
root       11920  0.0  0.0   7016  2116 pts/0    S+   20:50   0:00 grep --color=auto sendmail
root@box:/home/vbz# ps aux | grep sendmail
root       11922  0.0  0.0   7016  2040 pts/0    S+   20:50   0:00 grep --color=auto sendmail
root@box:/home/vbz# ps aux | grep sendmail
root       11924  0.0  0.0   7016  2088 pts/0    S+   20:50   0:00 grep --color=auto sendmail
root@box:/home/vbz# ps aux | grep sendmail
root       11965  0.0  0.0   7016  2264 pts/0    S+   20:51   0:00 grep --color=auto sendmail
root@box:/home/vbz# ps aux | grep sendmail
root       11967  0.0  0.0   7016  2232 pts/0    S+   20:51   0:00 grep --color=auto sendmail
root@box:/home/vbz# ps aux | grep sendmail
root       11969  0.0  0.0   7016  2240 pts/0    S+   20:51   0:00 grep --color=auto sendmail
root@box:/home/vbz# ps aux | grep sendmail
root       11971  0.0  0.0   7016  2144 pts/0    S+   20:51   0:00 grep --color=auto sendmail
root@box:/home/vbz# ps aux | grep sendmail
root       11973  0.0  0.0   7016  2072 pts/0    S+   20:51   0:00 grep --color=auto sendmail
root@box:/home/vbz# ps aux | grep sendmail
root       11975  0.0  0.0   7016  2140 pts/0    S+   20:51   0:00 grep --color=auto sendmail

Thanks in advance!

Best regards,

vele · April 1, 2025, 7:28pm

Check the Outbox of your email clients and the webmail. Delete all outgoing mail from outbox.

Please purge all email from postqueue.

Read here:

Purge

Either your backup thinks it has unsent mail. and trying to send, or your username and password have been compromised.

Do change the password. Do not change the password on any of the email clients you use as they may be the source of those messages.

As per the above I am afraid you have been blacklisted for multiple attempts to send to multiple users.

Check if you are backlisted: https://multirbl.valli.org/
Stop all the sending and try to delist yourself. Start with Spamhaus. Now they have a form in contacts. Go directly there If auto delist dosen’t work.
Explain frankly and say you are not a bulk sender.

If you are sending via port 25 and you are blacklisted, maybe you should consider changing the IP and build the IP reputation rather than wait a few weeks for Outlook Gmail and the big mail providers to delist you automatically. I am not really sure that gmail will ever forget the IP and the domain name.

Cat the maillog see what is going on. When you done with purging, Is postfix trying to send anything after purging and password change.
Are you backlisted by gmail?

cat /var/log/mail.log | grep "postfix/smtp" | grep -P 'status=' cat /var/log/mail.log | grep "postfix/smtp" | grep -P 'status='

If everything OK. Delete the logs to free up space.

ahmadkoudier · April 2, 2025, 7:01am

Thank you for your reply Vele.

Unfortunately, I’ve already tried everything you suggested.

As of now, my public IP does not appear to be blacklisted — as shown in the screenshot below:

I have purged the Postfix mail queue multiple times, but as soon as I restart the Postfix service, the queue fills up again almost immediately.

Even after closing port 25, and even disabling HTTP/HTTPS, the issue persists.
This strongly indicates that a local script is causing the problem.

Important note:
The VM is now completely isolated from the internet ( for outgoing data ), yet the behavior continues — which confirms it’s coming from within the system.

Also, the mail log becomes unreadable:
Within just 2 minutes, /var/log/mail.log grows to over 250 MB, and it continues to expand as long as Postfix is running.

I tested this command

cat /var/log/mail.log | grep "postfix/smtp" | grep -P 'status=' cat /var/log/mail.log | grep "postfix/smtp" | grep -P 'status='

At this point, I’ve tried every reasonable method I can think of — but so far, no success.

Any other ideas or deeper debugging suggestions would be greatly appreciated.

vele · April 2, 2025, 10:08am

Good! if you are not listed, but Outlook as per the first post seems to block you.

Start fresh.
Reserve the public IP. Terminate the instance. Make another clean instance. Reinstall the latest MIAB. Recreate the users.
DO NOT RESTORE BACKUP

Test Outlook and Gmail via telnet. Google test SMTP via telnet.

Check if you are blocked.

Read here Gmail, Yahoo work but iCloud emails bounces with 503 5.5.1 Error: send HELO/EHLO first (in reply to RCPT TO command) - #3 by vele

Are Outlook and Gmail blocking you.
If yes, delist yourself from Outlook https://sender.office.com/
No need to try to delist from Gmail they will not respond. They have an auto delist according to some AI crap. This is in the bulk sender contact form: Sender Contact Form - Gmail Help

Do not restore the backup yet. Try sending some test messages from the webmail.
Check the logs for symptoms.

I am not really sure how a backup can trigger a malware but it could be possible.

Now if your clean machine is acting OK. Use as backup method the rsync option. No need to restore from duplicity.

Rsync the user-data directory.

See what is going on afterwards.

If you wish to investigate further on the dirty machine you can try something like Tshark a WireShark gui-less app and see what or who is making the network requests and spam. This might be tedious. I am out of other ideas.
Good luck

ahmadkoudier · April 2, 2025, 11:14am

Yes Vele, I followed your suggestions precisely:

Removed the old KVM instance
Set up a fresh new KVM

This time, I made sure to focus on security improvements for the Linux server, such as hardening root access, enhancing network security, and other relevant measures.

Fortunately, everything went smoothly, even with the backup restoration method! I made sure to test the server thoroughly without a domain name, and everything was functioning well.

As for the issue with Outlook, no, they did not block my IP. I performed all possible tests, and everything worked perfectly this time.

However, I’m still curious about what exactly caused the issue in the first place. It’s important to investigate further. I plan to continue testing with new KVM setups until I can find any signs or root cause. It’s possible that some dormant malware in the Mail-in-a-Box system was triggered somehow.

Thank you again for your help!

vele · April 2, 2025, 11:22am

Hmm. Not really sure. Be careful with port egress 25 open. A malicious script can use other methods to send from the box, circumventing postfix. Then you really need Wireshark to identify the source. In your case it was the box sending via postfix and no other clients since you changed the password, so it was easy.