I run exim4, courrier-imap, and sqwebmail on my home server. For quite some time now, I've noticed a reoccurring file named "from" in my ${HOME}/Maildir/cur folder, owned and read/write only by root. I also notice, from time to time, root-owned files named "whatever" and "todd" in the same folder, which makes me think my machine might me compromised. They also have out-of-whack modification times.

I've disabled these three services, and the files have not re-appeared. I'm no security guru, but I don't even know where to start. Anyone have a clue as to where I should look first?

details:
Exim version 4.63 #1 built 20-Jan-2007 10:40:39
courier-imap 4.1.1.20060828-5
sqwebmail 0.53.3-5

thanks,

-dave

I found the problem.

Debian-etch version of procmail installs a default /etc/procmailrc that is very confusing. It contains code that will write a Maildir/from, Maildir/todd (?!) and Maildir/whatever file if you do not comment it out. I have my own ~/.procmailrc, and wasn't aware that it was automatically processing /etc/procmailrc.

I love Debian, but -10 points for this obvious oversight.

-d