Comments on: Finding compromised mail accounts in Plesk

By: trv

trv — Wed, 20 Aug 2008 18:44:07 +0000

sublime: nope, there is no smpt_auth lines in maillog neither.
In maillog, i can find only entries like this:

Aug 18 23:26:02 113513-web1 relaylock: /var/qmail/bin/relaylock: mail from {OFFENDING_IP}:1667 (not defined)

After this entry, there is the maillog for the message that is received by this IP, but can’t find how did it get there.

By: sublime

sublime — Thu, 07 Aug 2008 23:56:31 +0000

trv, madcat: Sometimes the smtp_auth entries are in the maillog rather than the messages log. Try looking in $PRODUCT_ROOT_D/var/log/maillog . $PRODUCT_ROOT_D is defined in /etc/psa/psa.conf (in RHEL country).

By: trv

trv — Mon, 14 Apr 2008 12:15:57 +0000

i’d like the answer to the madcat’s comments too! Any help?

By: madcat

madcat — Sat, 05 Apr 2008 00:09:50 +0000

I’ve done some more research, and it appears this might be due to people using STARTTLS . The traffic is encrypted, and the username used to login isn’t recorded anywhere that I can see. Does anybody know how to turn on logging for usernames when STARTTLS is used?

By: madcat

madcat — Thu, 03 Apr 2008 18:03:13 +0000

I’m not seeing the ’smtp_auth’ messages in /var/log/messages … In /var/log/secure, I am seeing

Mar 30 04:55:35 hostname xinetd[4220]: START: smtp pid=19223 from=XXX.YYY.53.75

(I changed the hostname and changed part of the IP address for privacy reasons)

Can anybody help drive another nail into spam’s coffin? I would love to get something juicy like “/var/qmail/mailnames/[DOMAIN]/[USER] logged in from unknown” … it would be nice to know which account(s) is/are compromised. Thanks.