Not being versed in Qmail’s intricacies, I have no idea of whether the answer I am seeking is buried in it but someone went to a lot of trouble up until a couple of years ago to track down all reported issues with Qmail. Qmail bugs is an interesting read.

If you are curious about what the exploit looks like, I did finally find someone who reported it last month. To date, no one has replied in that forum with any information.

What a Qmail spam exploit looks like

It ain’t pretty.

But the most widely known (and criticized) exploit appears to be based on bouncing messages off a Qmail server. I THINK I have now blocked that one too with the white listing through hosts.deny and hosts.allow but this is such a pain to keep up with. I’ve already added more than 150 domains to the list and I am sure a large percentage of people who could once reach me via email will no longer be able to unless they use the Xenite contact form.