Koozali.org: home of the SME Server

Obsolete Releases => SME Server 8.x => Topic started by: henrikmc on January 05, 2015, 01:33:08 PM

Title: SMTP Abuse?
Post by: henrikmc on January 05, 2015, 01:33:08 PM
Hello,

I need some help with SME 8.1 logs and where to look.
My internet provider has received complaints about spam coming from my IP address and mail server on a specific account.
I'm having a hard time finding the logins done to do this, but qmail logs seems to indicate that it where at that time sending out those emails.
Can somebody post me in the right direction?
Title: Re: SMTP Abuse?
Post by: mmccarn on January 05, 2015, 01:58:53 PM
You need to look at the log files from qpsmtpd and sqpsmtpd.

This wiki page may help:
http://wiki.contribs.org/Mail_log_file_analysis

Title: Re: SMTP Abuse?
Post by: henrikmc on January 06, 2015, 12:37:32 PM
Great, that helped - found it in qpsmtpd.
I'm trying to figure out if a vulnerability or a compromised account was used to gain access and - one strange thing, the user is successful authenticated in the form of <username@domain.com>, if I try that it fails. All other successful auths are in the form <username>. :shock:
Title: Re: SMTP Abuse?
Post by: Stefano on January 06, 2015, 12:45:31 PM
please post here some log examples, thank you :-)
Title: Re: SMTP Abuse?
Post by: henrikmc on January 06, 2015, 07:55:15 PM
I'm a bit reluctant about posting mail logs here with sensitive info if this turns out to be a security issue. What would be the proper way?
Title: Re: SMTP Abuse?
Post by: guest22 on January 06, 2015, 08:34:14 PM
Normally log in into bugzilla, and tag it with security. If you're thinking it should be a 'for your eyes only' report, then send an email to security@contribs.org.