Hi all. Im not sure this is the right ML so if it is not I apologize
and please point me in the right direction. Thanks!
I have a qmail server (qmail, vpopmail-no mysql). I have ssome 500
client email accounts distributed over some 30 domain names. Im
having serious SPAM problems in the sense that some spammer is using
legit username/pw combinatioss to authenticate and send his/her
garbage. I cant , for the life of me, determine which accounts are
suspect or are compromised. On my system, mail.log (/var/log/mail/
log) provides good info for pop and spamd activity, showing what user
a pop connection is opened and closed for like so:
Feb 21 14:48:57 sjo pop3d: Connection, ip=[::ffff:190.10.14.44]
Feb 21 14:48:57 sjo pop3d: LOGIN, [EMAIL PROTECTED], ip=
[::ffff:190.10.14.44]
Feb 21 14:48:57 sjo pop3d: LOGOUT, [EMAIL PROTECTED], ip=
[::ffff:190.10.14.44], top=0, retr=0, rcvd=12, sent=39, time=0
Since I am interested in smtp though, I look at /var/log/qmail/smtpd/
current and find that the info only tells me the connecting IP,
target IP and stasus info:
@4000000045dccd01188edb8c tcpserver: pid 4555 from 82.237.85.167
@4000000045dccd01188ffc9c tcpserver: ok 4555 sjo.sinapsisglobal.com:
66.228.222.190:25 :82.237.85.167::4430
@4000000045dccd020d221944 tcpserver: end 4551 status 0
@4000000045dccd020d2228e4 tcpserver: status: 12/120
@4000000045dccd021e11902c tcpserver: end 4555 status 256
Is there any way to configure the smtp log to show which account is
being logged in or auth'ed to send, sort of like what the pop log shows?
Any help will be immensely appreciated.
Max
