Weird Imap shared folders started to appear

[bighusky]

Hi

since the end of November we have found new folders being created in the
/var/spool/imap folder (which in turn then show up as shared folders)

This is an example of the current directory:

[CODE]mail3:/var/spool/imap root# ls
+_-bhjiv +_-fywbk +_-muq +_-uztpqq stage.
+_-djbqq +_-lqp +_-ooyf +_-yxuqk user
+_-egwha +_-makzz +_-rmvax +_-zepy
+_-esqkfs +_-msrwu +_-swl +_-zihqtl
[/CODE]

each of these ‘weird’ folders contains:

[CODE]mail3:/var/spool/imap root# ls -lisa +_-bhjiv/
total 24
155002034 0 drwx—— 5 cyrusima mail 170 Nov 28 22:31 .
198256 0 drwxr-xr-x 20 cyrusima mail 680 Jan 2 09:40 ..
155002037 8 -rw——- 1 cyrusima mail 4 Nov 28 22:31 cyrus.cache
155002041 8 -rw——- 1 cyrusima mail 154 Nov 28 22:31 cyrus.header
155002036 8 -rw——- 1 cyrusima mail 76 Nov 28 22:31 cyrus.index
[/CODE]

and here is what is in the cyrus.header file:

[CODE]mail3:/var/spool/imap root# cat +_-bhjiv/cyrus.header
Cyrus mailbox header
“The best thing about this system was that it had lots of goals.”
–Jim Morris on Andrew
+_-bhjiv 550a3cb4456d2947

anyone lrs
[/CODE]

Not sure if one of the last Mac OS X Server Updates (Mac OS X Server Tiger 10.4.x with all latest updates) was the source of starting this issue.

Even if it is nothing to worry about we sure would like to know what is causing the creation of these folders in the /var/spool/imap directory and if there is a way to either prevent it or move them somewhere else so they don’t show up in the users folder structure. Can we delete them without causing possible issues (but what will prevent their re-creation)?

Tried to look it up on google and forums like this one but searching for “+_-” is not very easy 🙂

Thanks for any information/help

BH

[Sensei]

This issue is happening to me too since the 10.4.8 upgrade, and I tried to delete the shared folder using the [b]SirAdmin[/b] utility/app but it didn’t work. Anybody know how to properly delete stubborn shared folders without breaking anything, using [b]cyradmin[/b] instead?
(BTW this issue has been brought up in the Apple Discussion Boards also.)

[bighusky]

It’s because the folder doesn’t have the proper permissions.

If you do an lam ‘Shared Folders/+_-duhd’ you will see something like:

anyone lrs

now issue the following:

sam ‘Shared Folders/+_-duhd’ anyone all

now the output of lam ‘Shared Folders/+_-duhd’ should look like:

anyone lrswipcda

At this point you can delete the folder with:

dm ‘Shared Folders/+_-duhd’

Still would like to know what is actually creating these.

Hope this helps

BH

[petersaywhat]

Does anyone know what is causing these folders to appear in the first place?

We recently had an episode where a spammer was spoofing our domain using for example [email protected]. As a result we were receiving a bunch of bounced emails for a few days addressed to that address. I then stumbled upon a folder in the same directory as the previous posts with the name ^_-ghjskeh. This is obviously related but I’m not sure how it happened. Any inisght would be most helpful.

Thanks.

[bighusky]

Sadly so far no one has been able to come up with an explanation on why this is happening.
It sure is annoying and as for us it had started with +_- now since last week they have changed to ._-

Currently we have setup a cron job to remove those newly created folder every 15 minutes.

We are going to build a generic linux/freebsd box to replace the whole apple server setup as it has proven to have too many ‘little’ issues like that and for our production server this is no longer acceptable.

BH

[pwharff]

I too am experiencing this problem. In addition, I had the similar problem with a particular spammer blasting our server with SPAM and had to implement Alex’s Frontline Defense from osX.FrontDesk.com.

Any updates on how to fix this?

[mcclint]

“Me too!”

but my odd folders are named ^_-gibberish and I’ve got about 100 of them. I don’t know when this started, but I just happened to discover it today after running mailbfr and I saw these folder names in the mailbfr log.

It really is unfortunate that you can’t do a google search for non-alphanumerics.

[geekpak]

So my hope is that anyone having issues with “Shared Folders” appearing in IMAP will read the following:

Solution:
1. DO NOT manually delete these directories from /var/spool/imap/
2. Use either cyradm or get SirAdmin to do the following:

a. reconstruct the mailbox (if not using SirAdmin: /usr/bin/cyrus/bin/reconstruct -r -f MAILBOXNAME)
b. apply Access Control Lists for your admin user (if not using SirAdmin sam Shared\ Folders/MAILBOXNAME YOURADMINUSER all)
c. delete the mailbox in question (if not using SirAdmin dam Shared\ Folders/MAILBOXNAME anyone)
If you did accidentally delete these at the command-line like I did then do the following:

mkdir DIRECTORYNAME
chown -R _cyrus DIRECTORYNAME
and then do steps 1 and 2 above.

one final note: I spent several hours trying to get both the command-line and SirAdmin to work. My errant mailboxes were created by spammers. So they showed up like this:

._-levy
but when referring to them in the cyradm tool use the name as it appears on the filesystem:
^_-levy

Additional notes:
If you don’t have an admin user that can login using SirAdmin or cyradm checkout this article: https://www.afp548.com/article.php?story=20060128151535780

finally, to prevent exploitation of this bug by spammers try (i have not confirmed if this eliminates the problem, but I wanted to post all relevant points I found when tracking this issue down):

To avoid these folders being created again, make sure you do not accept mail for unknown users and that “local_recipient_maps” inside /etc/postfix/main.cf is not empty. If it is, either remove it or set it to:
local_recipient_maps = proxy:unix:passwd.byname $alias_maps

I hope this saves you the 8 hours we wasted today on this issue.

[Author]

Posts