The submission entries outside the US could very well be from hacked accounts.

I'm finding a surprising number of compromised accounts (once a week?), 
including users with good passwords, so I have to assume they're snooped on 
public wireless, or their computers are compromised by malware of some sort.

The vckpw-smtp entries from outside the US are probably also hacked accounts, 
since mail received from remote servers doesn't include authentication.  Sorry 
I wasn't thinking clearly in my previous response -- I forgot these were vchkpw 
entries and are only related to authentication.  I was thinking about qmail 
logs.

-Tom


On Mar 4, 2014, at 10:43 PM, LHTek wrote:

> Thanks for the reply.
> 
> NOTE: None of my users will have sent anything from outside the US.
> 
> I've got some log entries for vchkpw-submission (marked as successful in the 
> log) with non-US IP's (Russia, Egypt, Honk Kong, etc). In my analysis I'm 
> marking those entries as hacked accounts.
> 
> From what I read from your response, vchkpw-smtp (marked as successful in the 
> log) entries could be mail sent TO my server FROM another server on port 25. 
> That tells me those are probably safe submissions - even if they are from 
> overseas IPs. Am I thinking correctly?
> 
> 
> 
> 
> From: Tom Collins <t...@tomlogic.com>
> To: vchkpw@inter7.com 
> Sent: Wednesday, March 5, 2014 12:02 AM
> Subject: Re: [vchkpw] Qmail maillog vchkpw-submission vs vchkpw-smtp
> 
> vchkpw-submission is on port 587, and is typically used for emai clients 
> relaying mail.  It's often set up to require authentication.
> 
> vchkpw-smtp is on port 25, and can be used for email clients to relay mail, 
> or by other servers delivering mail to your server.
> 
> -Tom
> 
> 
> On Mar 4, 2014, at 9:41 PM, LHTek wrote:
> 
>> In the /var/log/maillog file what is the difference between these 2 entries 
>> (vchkpw-submission, vchkpw-smtp)?
>> 
>> example:
>> Mar  4 17:27:03 michael vpopmail[14701]: vchkpw-submission: (PLAIN) login 
>> success t...@domain.com:64.185.3.238
>> Mar  4 10:54:42 michael vpopmail[29027]: vchkpw-smtp: (PLAIN) login success 
>> t...@domain.com:64.57.239.114
>> 
>> 
> 
> 
> 
> 



!DSPAM:5316cae034263249811152!

Reply via email to