Security issue or bug in Directadmin or something?

[Richard G]

I received this message this morning:

Subject: 10 updates available for server.someserver.com

DirectAdmin 1.42.1 to 1.43.3 update is available.
Apache 2.2.23 to 2.2.25 update is available.
ProFTPD 1.3.4b to 1.3.4d update is available.
cURL 7.28.1 to 7.32.0 update is available.
FreeType 2.4.11 to 2.5.0 update is available.
Dovecot 2.1.12 to 2.2.4 update is available.
MySQL 5.5.29 to 5.5.33 update is available.
PHP5 (CLI) 5.3.20 to 5.3.27 update is available.
RoundCube webmail 0.8.4 to 0.9.4 update is available.
phpMyAdmin 3.5.5-all-languages to 3.5.8.2-all-languages update is available.

Now lets have a laugh.
The hostname of that server isn't server.someserver.com but server15.mydomain.com. We own the domain someserver.com but that is nowhere present on that server.

All these versions, except for webmail and phpmyadmin were already up to date, for example apache 2.2.25 was already running on that machine.

So my questions are:
1.) Why is DA cronjob sending this message, while only Roundcube and phpMyadmin needed updates?
2.) Where is cronjob getting this hostname from, because it's the complete wrong hostname? And the headers of the email also say it's coming from server.someserver.com but we don't have any server with that hostname, and never had one either with that hostname?

This is the header of that notification mail:

Return-path: <[email protected]>
Envelope-to: [email protected]
Delivery-date: Mon, 09 Sep 2013 02:25:31 +0200
Received: from mail by server15.mydomain.com with spam-scanned (Exim 4.80.1)
	(envelope-from <[email protected]>)

So the return path and envelope-from addresses are wrong, and as you can see from the real hostname (server15.mydomain.com) it's send from the correct server, how can this happen?

I checked the custombuild crontab:

#!/bin/sh
cd /usr/local/directadmin/custombuild
./build update >/dev/null 2>&1
AVAIL_UPDATES="`./build versions_nobold | grep -c -e 'update is available.'`"
if [ "${AVAIL_UPDATES}" -gt 0 ]; then
./build versions_nobold | grep 'update is available.' | mail -s "${AVAIL_UPDATES} updates available for `hostname`" [email protected]
./build update_webapps
fi
exit 0;

And checked my hostname:

[root@server15: /etc/cron.daily]# hostname
server15.mydomain.com

So the DA installation must be doing something wrong.

 

[Richard G]

Fixed.
For some reason a directory called Maildir was present in /root and after I deleted it, the problem was over.
The Maildir directory was empty though, and I still don't have a clue how or where the server found that hostname which isn't used by use and from which the domain name is only present as pointer on a complete other server.

 

[Richard G]

Correction, it seemd I overlooked the ip. And the mail came from another server which the old host had not reinstalled before renting, but just started the thing.