Linux – Server compromised. Bounce message contains many email addresses message was not sent to

This is not a dupe. Please read and understand the issue before marking this as a duplicate question that has been answered already.

Several customers are reporting bounce messages like the one below. At first I thought their computers had a virus but then I received one that was server generated so the problem is with the server.

I've inspected the logs and these email addresses do not appear in the logs. The only thing I see that I do not remember seeing in the past are entries like this:

Apr 30 13:34:49 psa86 qmail-queue-handlers[20994]: hook_dir = '/var/qmail//handlers/before-queue'
Apr 30 13:34:49 psa86 qmail-queue-handlers[20994]: recipient[3] = 'aimee@cccccc.com'
Apr 30 13:34:49 psa86 qmail-queue-handlers[20994]: handlers dir = '/var/qmail//handlers/before-queue/recipient/aimee@ccccccc.com'

I've searched here and the web and maybe I'm just not entering the right search terms but I find nothing on this issue.

Does anyone know how a hacker would attach additional email addresses to a message at the server and have them not appear in the logs?

CentOS release 5.4, Plesk 8.6, QMail 1.03

Hi. This is the qmail-send program at psa.aaaaaa.com.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<leonirina@orascom.com>:
82.201.133.227 does not like recipient.
Remote host said: 550 #5.1.0 Address rejected.
Giving up on 82.201.133.227.

<schnitz1@owensfinancial.com>:
64.18.7.10 does not like recipient.
Remote host said: 550 No such user - psmtp
Giving up on 64.18.7.10.

<schnitz1@overboardart.com>:
173.194.68.27 does not like recipient.
Remote host said: 550-5.1.1 The email account that you tried to reach does not exist. Please try
550-5.1.1 double-checking the recipient's email address for typos or
550-5.1.1 unnecessary spaces. Learn more at
550 5.1.1 http://support.google.com/mail/bin/answer.py?answer=6596 w8si1903qag.18 - gsmtp
Giving up on 173.194.68.27.

<buirda@pacbell.net>:
207.115.36.23 does not like recipient.
Remote host said: 550 5.2.1 <buirda@pacbell.net>... Addressee unknown, relay=[174.142.62.210]
Giving up on 207.115.36.23.

<s.potter@pacbell.net>:
207.115.37.22 does not like recipient.
Remote host said: 550 5.2.1 <s.potter@pacbell.net>... Addressee unknown, relay=[174.142.62.210]
Giving up on 207.115.37.22.

<m_burgess77@pacbell.net>:
207.115.37.20 does not like recipient.
Remote host said: 550 5.2.1 <m_burgess77@pacbell.net>... Addressee unknown, relay=[174.142.62.210]
Giving up on 207.115.37.20.

<imay.dy.tow-308@pacbell.net>:
207.115.37.23 does not like recipient.
Remote host said: 550 5.2.1 <imay.dy.tow-308@pacbell.net>... Addressee unknown, relay=[174.142.62.210]
Giving up on 207.115.37.23.

<terrilll@pacbell.net>:
207.115.36.22 does not like recipient.
Remote host said: 550 5.2.1 <terrilll@pacbell.net>... Addressee unknown, relay=[174.142.62.210]
Giving up on 207.115.36.22.

<don@pacificachamber.org>:
74.205.16.140 does not like recipient.
Remote host said: 553 sorry, that domain isn't in my list of allowed rcpthosts; no valid cert for gatewaying (#5.7.1)
Giving up on 74.205.16.140.

<s-urked-y.2@pacbell.net>:
207.115.36.20 does not like recipient.
Remote host said: 550 5.2.1 <s-urked-y.2@pacbell.net>... Addressee unknown, relay=[174.142.62.210]
Giving up on 207.115.36.20.

<francesj@pacbell.net>:
207.115.37.21 does not like recipient.
Remote host said: 550 5.2.1 <francesj@pacbell.net>... Addressee unknown, relay=[174.142.62.210]
Giving up on 207.115.37.21.

<chester.hwang@pacific.net.sg>:
192.169.41.23 failed after I sent the message.
Remote host said: 554 qq Sorry, no valid recipients (#5.1.3)

--- Below this line is a copy of the message.

Return-Path: <tim@aaaaaa.com>
Received: (qmail 15962 invoked from network); 1 May 2013 06:49:34 -0400
Received: from exprod6mo107.postini.com (64.18.1.18)
  by psa.aaaaaa.com with (DHE-RSA-AES256-SHA encrypted) SMTP; 1 May 2013 06:49:34 -0400
Received: from aaaaaa.com (exprod6lut001.postini.com [64.18.1.199])
    by exprod6mo107.postini.com (Postfix) with SMTP id 47F80B8CA4
    for <billy@bbbbbb.us>; Wed,  1 May 2013 03:49:33 -0700 (PDT)
From: "Support" <tim@aaaaaa.com>
To: billy@bbbbbb.us
Subject: Detected Potential Junk Mail
Date: Wed, 1 May 2013 03:49:33 -0700

Dear billy@bbbbbb.us,

junk mail protection service has detected
suspicious email message(s) since your last visit and directed them
to your Message Center.

You can inspect your suspicious email at:

...

UPDATE: After not seeing this problem for a while, I personally sent a message and immediately got a bounce with several bad addresses that I know I did not send to. These are addresses that are not on my system or on the server. This problem happens with both Mac and Windows clients and with messages generated from Postini and sent to users on my system.

This is NOT backscatter. If it was backscatter it would not have the contents of my message in it.

UPDATE #2

Here is another bounce. This one was sent by me and the bounce came back immediately.

Hi. This is the qmail-send program at psa.aaaaaa.com.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<yteceynst@rr.com>:
71.74.56.227 does not like recipient.
Remote host said: 550 5.1.1 <yteceynst@rr.com>... User unknown
Giving up on 71.74.56.227.

<asnead@roxboro.net>:
Connected to 208.34.236.3 but sender was rejected.
Remote host said: 550 5.7.1 This system is configured to reject mail from 174.142.62.210 [174.142.62.210] (Host blacklisted - Found on Realtime Black List server 'bl.mailspike.net')

<colinmacnair@rprnc.com>:
66.96.80.22 failed after I sent the message.
Remote host said: 552 sorry, mailbox colinmacnair@rprnc.com is over quota temporarily (#5.1.1)

<marcodp@romandie.com>:
83.145.109.52 does not like recipient.
Remote host said: 550 5.1.1 <marcodp@romandie.com>: Recipient address rejected: User unknown in virtual mailbox table
Giving up on 83.145.109.52.

<camrempel@sasktel.net>:
69.49.101.234 does not like recipient.
Remote host said: 550 5.7.1 <camrempel@sasktel.net>... H:M12 [174.142.62.210] Connection refused due to abuse. Please see http://mailspike.org/anubis/lookup.html or contact your E-mail provider.
Giving up on 69.49.101.234.

<sissi0@sapo.pt>:
212.55.154.36 does not like recipient.
Remote host said: 550-The account has been suspended for inactivity
550 A conta do destinatario encontra-se suspensa por inactividade (#5.2.1)
Giving up on 212.55.154.36.

<eugenehensley2@rumornews.com>:
199.168.90.102 failed after I sent the message.
Remote host said: 552 Transaction 51a9235e_ae8e3ed2@isp-inter.net failed, remote said "550 No such user" (#5.1.1)

<leolobo@sbcglobal.net>:
98.136.217.192 failed after I sent the message.
Remote host said: 554 delivery error: dd Sorry your message to leolobo@sbcglobal.net cannot be delivered. This account has been disabled or discontinued [#102]. - mta1210.sbc.mail.gq1.yahoo.com

--- Below this line is a copy of the message.

Return-Path: <tim@bbbbbb.com>
Received: (qmail 2618 invoked from network); 2 Jun 2013 22:32:51 -0400
Received: from 75-138-254-239.dhcp.jcsn.tn.charter.com (HELO ?192.168.0.66?) (75.138.254.239)
  by psa.aaaaaa.com with SMTP; 2 Jun 2013 22:32:48 -0400
User-Agent: Microsoft-Entourage/12.34.0.120813
Date: Sun, 02 Jun 2013 21:32:39 -0500
Subject: Refinance
From: Tim Duncklee <tim@bbbbbb.com>
To: Scott jones <sjones@cccccc.us>
Message-ID: <CDD16A79.67344%tim@bbbbbb.com>
Thread-Topic: Reference
Thread-Index: Ac5gAp2QmTs+LRv0SEOy7AJTX2DWzQ==
Mime-version: 1.0
Content-type: multipart/mixed;
    boundary="B_3453053568_12034440"

> This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

--B_3453053568_12034440
Content-type: multipart/related;
    boundary="B_3453053568_11982218"


--B_3453053568_11982218
Content-type: multipart/alternative;
    boundary="B_3453053568_12000660"


--B_3453053568_12000660
Content-type: text/plain;
    charset="ISO-8859-1"
Content-transfer-encoding: quoted-printable

Scott,

... email body here ...

Here are the relevant log entries:

Jun  2 22:32:50 psa qmail-queue[2616]: mail: all addreses are uncheckable - need to skip scanning (by deny mode)
Jun  2 22:32:50 psa qmail-queue[2616]: scan: the message(drweb.tmp.i2SY0n) sent by tim@bbbbbb.com to sjones@cccccc.us should be passed without checks, because contains uncheckable addresses
Jun  2 22:32:50 psa qmail-queue-handlers[2617]: Handlers Filter before-queue for qmail started ...
Jun  2 22:32:50 psa qmail-queue-handlers[2617]: from=tim@bbbbbb.com
Jun  2 22:32:50 psa qmail-queue-handlers[2617]: to=sjones@cccccc.us
Jun  2 22:32:50 psa qmail-queue-handlers[2617]: hook_dir = '/var/qmail//handlers/before-queue'
Jun  2 22:32:50 psa qmail-queue-handlers[2617]: recipient[3] = 'sjones@cccccc.us'
Jun  2 22:32:50 psa qmail-queue-handlers[2617]: handlers dir = '/var/qmail//handlers/before-queue/recipient/sjones@cccccc.us'
Jun  2 22:32:51 psa qmail: 1370226771.060211 starting delivery 57: msg 1540285 to remote ebay@ebay.com
Jun  2 22:32:51 psa qmail: 1370226771.060402 status: local 0/10 remote 1/20
Jun  2 22:32:51 psa qmail: 1370226771.060556 new msg 4915232
Jun  2 22:32:51 psa qmail: 1370226771.060671 info msg 4915232: bytes 687899 from <tim@bbbbbb.com> qp 2618 uid 2020
Jun  2 22:32:51 psa qmail-remote-handlers[2619]: Handlers Filter before-remote for qmail started ...
Jun  2 22:32:51 psa qmail-queue-handlers[2617]: starter: submitter[2618] exited normally
Jun  2 22:32:51 psa qmail-remote-handlers[2619]: from=
Jun  2 22:32:51 psa qmail-remote-handlers[2619]: to=ebay@ebay.com
Jun  2 22:32:51 psa qmail: 1370226771.078732 starting delivery 58: msg 4915232 to remote sjones@cccccc.us
Jun  2 22:32:51 psa qmail: 1370226771.078825 status: local 0/10 remote 2/20
Jun  2 22:32:51 psa qmail-remote-handlers[2621]: Handlers Filter before-remote for qmail started ...
Jun  2 22:32:51 psa qmail-remote-handlers[2621]: from=tim@bbbbbb.com
Jun  2 22:32:51 psa qmail-remote-handlers[2621]: to=sjones@cccccc.us