I’m gonna be honest here, I have no clue how to word this thread, or what I need to provide to receive help. All I know is that Discourse sent 18K+ emails and failed to send 7K+ emails (after my Amazon SES was frozen for having such a high bounce rate ~%20). It also looks like its still trying to send 500+ emails.
Conclusion: Port 53 was open, even though I didn’t ever install a nameserver. Guess it got hacked (Even if Sidekiq was listing all of the processes, I know it’s hacked still)
There’s only been 23 emails sent ever when I go there.
EDIT: The day of this happening was the April 10th (just now figured out it was discourse that sent the emails), and there’s not a single email on there from the 10th.
Also just found this, under the retries tab on the Sidekiq dashboard, the arguments are all something like this: {"type"=>"digest", "user_id"=>11, "current_site_id"=>"default"}
Perhaps someone got your smtp password and sent from somewhere else? Perhaps they hacked your server (is it protected by a password and you don’t have fail2ban?). Something like that.
There’s pretty much zero chance that Discourse has anything to do with it.
You should probably set up a new server and migrate discourse there.
It may be surprising, but it’s not hard to edit logs. Or install a root kit that does it. The addresses you’re sending to don’t exist in discourse, right? So it didn’t send the messages.
It’s almost certain that you’ve been hacked.
Do you log in with a password? Do you have fail2ban?
Google for how to see what ports are open and see if anything other than 22,80,and 443 are open.
The only other port than 22, 80, and 443 that’re open is 53. And I don’t know what fail2ban is, but I’ll look into it and try to increase security. I assume I should go ahead and close port 53?
The screenshot in your first post looks very much like Sidekiq - which processes jobs for all sorts of things besides email. Is that screenshot where you’re getting the 18k email count from?