Topic: SMTP Abuse?

[henrikmc]

Hello,

I need some help with SME 8.1 logs and where to look.
My internet provider has received complaints about spam coming from my IP address and mail server on a specific account.
I'm having a hard time finding the logins done to do this, but qmail logs seems to indicate that it where at that time sending out those emails.
Can somebody post me in the right direction?

[mmccarn]

You need to look at the log files from qpsmtpd and sqpsmtpd.

This wiki page may help:
http://wiki.contribs.org/Mail_log_file_analysis

[henrikmc]

Great, that helped - found it in qpsmtpd.
I'm trying to figure out if a vulnerability or a compromised account was used to gain access and - one strange thing, the user is successful authenticated in the form of <username@domain.com>, if I try that it fails. All other successful auths are in the form <username>.

[Stefano]

please post here some log examples, thank you

[henrikmc]

I'm a bit reluctant about posting mail logs here with sensitive info if this turns out to be a security issue. What would be the proper way?

[guest22]

Normally log in into bugzilla, and tag it with security. If you're thinking it should be a 'for your eyes only' report, then send an email to security@contribs.org.