Michael, you are a star - found the culprit. A client who is a siteadmin had setup a user on BQ before we moved up to BX. This user account had a very simple password.
found account and removed. cheers pete On 24/03/2010 14:21, Michael Stauber wrote: > Hi Peter, > > >> Is their anyway of working out which account has sent the email from >> roundcube? >> > Yes. Check /var/log/maillog. RoundCube uses SMTP-Auth to authenticate against > the MTA when it sends emails. So the username of the account sending the > emails is logged. > > Below is an example where user "admin" sent an Email via RoundCube: > > 1.) IMAP login of user "admin" as he logged into RoundCube: > Mar 24 15:12:19 cbx dovecot: imap-login: Login: user=<admin>, method=PLAIN, > rip=127.0.0.1, lip=127.0.0.1, secured > > 2.) User "admin" sends a message: > Mar 24 15:12:20 cbx sendmail[26191]: STARTTLS=server, relay=localhost > [127.0.0.1], version=TLSv1/SSLv3, verify=NO, cipher=DHE-RSA-AES256-SHA, > bits=256/256 > Mar 24 15:12:20 cbx sendmail[26191]: AUTH=server, relay=localhost [127.0.0.1], > authid=admin, mech=PLAIN, bits=0 > > 3.) Said message is being processed: > Mar 24 15:12:20 cbx milter-greylist: User admin authenticated, bypassing > greylisting > Mar 24 15:12:20 cbx sendmail[26191]: o2OECJls026191: from=<[email protected]>, > size=328, class=0, nrcpts=1, > msgid=<[email protected]>, proto=ESMTP, daemon=MTA, > relay=localhost [127.0.0.1] > > So if you suspect RoundCube being the culprit (i.e.: user with weak password > had his account details guessed and someone is now using the installed > RoundCube with those details), then you could grep the maillog for these > lines: > > cat /var/log/maillog | grep "AUTH=server" |grep "authid=" > > That ought to list all SMTP-Auth'ed logins to Sendmail. If that also shows > legitimate remote connections from dialup users, you may want to trim it down > further to show only SMTP-Auth connections from localhost: > > cat /var/log/maillog | grep "AUTH=server" |grep "authid=" |grep > "relay=localhost" > > Which should list only the RoundCube logins to SMTP-Auth. > > _______________________________________________ Blueonyx mailing list [email protected] http://www.blueonyx.it/mailman/listinfo/blueonyx
