What’s sending mail to some@example.com, an@example.com, and tqznopjxm4@pomail.net ?

Leave a Comment / Mail / By /

I noticed two things today in logs:

Mar 27 10:23:35 cliff1 postfix/smtp[70019]: ACFA07C118: to=<some@example.com>, 
relay=smtp.fastmail.com[103.168.172.60]:587, delay=0.46, delays=0.11/0.05/0.12/0.17, 
tls=encrypt, dsn=5.7.1, status=bounced (host smtp.fastmail.com[103.168.172.60] said: 
551 5.7.1 Not authorised to send from this header address (in reply to end of DATA command))
Mar 27 10:23:36 cliff1 postfix/smtp[70019]: 257317B7AB: to=<an@example.com>, 
relay=smtp.fastmail.com[103.168.172.45]:587, delay=1.2, delays=0.02/0/0.1/1, 
tls=encrypt, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 36E819A0033 
ti_phl-compute-04_3594513_1774607015_4 via phl-compute-04)

In this post:

  • FreeBSD 15.0
  • postfix-3.11.1_1,1

Where did they come from?

257317B7AB also indicated pkg01 was the source.

What’s on pkg01

pkg01 is my poudriere server for building FreeBSD packages.

Whatever it is, it’s been going on for a while:

[14:55 pkg01 dvl ~] % sudo bzgrep -c example /var/log/maillog*
/var/log/maillog:24
/var/log/maillog.0.bz2:28
/var/log/maillog.1.bz2:68
/var/log/maillog.2.bz2:28
/var/log/maillog.3.bz2:28
/var/log/maillog.4.bz2:24
/var/log/maillog.5.bz2:24
/var/log/maillog.6.bz2:48

Going back on snapshots via the main host, I see:

[14:57 r730-01 dvl /jails/pkg01/.zfs/snapshot/autosnap_2026-03-21_00:00:02_daily/var/log] % sudo bzgrep -c example maillog*                                         
maillog:48
maillog.0.bz2:20
maillog.1.bz2:40
maillog.2.bz2:20
maillog.3.bz2:20
maillog.4.bz2:20
maillog.5.bz2:36
maillog.6.bz2:20

[14:57 r730-01 dvl /jails/pkg01/.zfs/snapshot/autosnap_2026-03-21_00:00:02_daily/var/log] % ls -l maillog.6.bz2
-rw-r-----  1 root logcheck 934 2026.03.14 00:00 maillog.6.bz2

So since March 14th at least.

Perhaps this is related to the build system? It doesn’t seem malicious.

There is a build going on right now. I don’t want to interrupt it for testing.

How many emails?

So far, today:

[15:02 pkg01 dvl ~] % sudo grep 'mail to' /var/log/maillog | cut -f 7 -w | sort | uniq -c
   3 to=
   6 to=
   2 to=

That first address looks dodgy. I will thoroughly investigate that one.

Looking at yesterday, there are similar counts:

[15:02 pkg01 dvl ~] % sudo bzgrep 'mail to' /var/log/maillog.0.bz2 | cut -f 7 -w | sort | uniq -c 
   3 to=
   7 to=
   3 to=

I found it

I found it. I decide to grep here:

[15:08 pkg01 dvl /usr/local/etc/poudriere.d] % grep -r example *
hooks/pkgbuild.sh:EMAIL_FROM=an@example.com
hooks/pkgbuild.sh:EMAIL_TO=some@example.com
hooks/pkgbuild.sh.sample:EMAIL_FROM=an@example.com
hooks/pkgbuild.sh.sample:EMAIL_TO=some@example.com

[15:09 pkg01 dvl /usr/local/etc/poudriere.d] % grep -r tqznopjxm4 *
hooks/bulk.sh~:EMAIL_TO="tqznopjxm4@pomail.net"
hooks/bulk.sh:EMAIL_TO="tqznopjxm4@pomail.net"

[15:09 pkg01 dvl /usr/local/etc/poudriere.d] % pkg which hooks/pkgbuild.sh.sample 
/usr/local/etc/poudriere.d/hooks/pkgbuild.sh.sample was installed by package poudriere-3.4.6

It’s the build hooks.

I feel a patch will be submitted soon.

I’m not sure where the tqznopjxm4 address came from. What is interesting, it’s been sending this for over 2 years.

[15:13 pkg01 dvl /usr/local/etc/poudriere.d] % ls -l hooks/bulk.sh 
-rw-r-----  1 root wheel 3527 2024.02.10 17:42 hooks/bulk.sh

I’ve fixed hooks/bulk.sh – that’s on me.

Here’s that pull request.

Aftermath

When building my pull request, I had incorrectly assumed the package was installing pkgbuild.sh.sample as a @sample file. Meaning, that if pkgbuild.sh did not already exist, pkgbuild.sh.sample would be copied to that filename.

I saw this:

[16:11 pkg01 dvl /usr/local/etc/poudriere.d/hooks] % ls -l
total 27
-rw-r--r--  1 root wheel  219 2019.08.10 16:07 builder.sh.inactive
-rw-r-----  1 root wheel 3522 2026.03.27 15:14 bulk.sh
-rw-r--r--  1 root wheel 3420 2026.03.10 04:19 bulk.sh.sample
-rw-r--r--  1 root wheel  581 2021.10.17 11:47 jail.sh
-rw-r--r--  1 root wheel 1398 2024.02.10 17:22 pkgbuild.sh
-rw-r--r--  1 root wheel 1398 2026.03.10 04:19 pkgbuild.sh.sample

Seeing both pkgbuild.sh and pkgbuild.sh.sample, along with both bulk.sh and bulk.sh.sample when combined with my history has a port maintainer, you can see why I got there… however wrong it was. I should have checked the port first, and I would have seen they are not @sample files.

I still don’t know how pkgbuild.sh got there. But I’ve dealt with it:

[16:11 pkg01 dvl /usr/local/etc/poudriere.d/hooks] % diff -ruN pkgbuild.sh.sample pkgbuild.sh
[16:11 pkg01 dvl /usr/local/etc/poudriere.d/hooks] % grep example *
pkgbuild.sh:EMAIL_FROM=an@example.com
pkgbuild.sh:EMAIL_TO=some@example.com
pkgbuild.sh.sample:EMAIL_FROM=an@example.com
pkgbuild.sh.sample:EMAIL_TO=some@example.com
[16:12 pkg01 dvl /usr/local/etc/poudriere.d/hooks] % sudo rm pkgbuild.sh
[16:12 pkg01 dvl /usr/local/etc/poudriere.d/hooks] %

Thank you for coming to my TED talk.

Website Pin Facebook Twitter Myspace Friendfeed Technorati del.icio.us Digg Google StumbleUpon Premium Responsive

Related Posts

Leave a Comment

Scroll to Top