I just notice this /var/export/email folder in version 2.2.2 and very odd permission setting for it
owner had no Read , but had Wright , Execute. and user had "T" as a last bit of permission .
I assume this is compromised site as of now. but i like to know if this folders are normal folders within magento .
Here's a guide on what permissions should be set in Magento http://devdocs.magento.com/guides/v2.0/config-guide/prod/prod_file-sys-perms.html.
This alone is unlikely to indicate the server is compromised. It could just be a misconfiguration.
I've noticed this too, so I doubt both our sites are compromised in the same way. I believe it is a bug in Magento 2.2.2 where it creates this directory.
Magento 2.2 and somehow this folder appear twice already (and messed with our releaser :/ ). This happend on test server so it's unlikely this was caused by attack by third party.
d-wxr-sr-T 3 user group 4096 Apr 1 02:00 export