How do you tie this: 07:17 03:40 SMTPD(000005F8) Authenticated [EMAIL PROTECTED], session treated as local
To this?? 07:17 03:40 SMTPD(3A68012A) [xxx.xxx.xxx.xxx] connect 194.177.96.73 port 3681 07:17 03:40 SMTPD(3A68012A) [194.177.96.73] MAIL FROM:<[EMAIL PROTECTED]> 07:17 03:40 SMTPD(3A68012A) [194.177.96.73] RCPT TO:<[EMAIL PROTECTED]> 07:17 03:40 SMTPD(3A68012A) [194.177.96.73] EHLO User 07:17 03:40 SMTPD(3A68012A) [194.177.96.73] D:\IMail\spool\D9c983a68012a3c75.SMD 1687 07:17 03:40 SMTP-(00000000) Info - Adding Queue file D:\IMail\spool\Q9c983a68012a3c75.SMD 07:17 03:40 SMTP-(0758F266) processing D:\IMail\spool\Q9c983a68012a3c75.SMD What am I missing? Thanks, K -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sanford Whiteman Sent: Tuesday, July 17, 2007 1:25 PM To: Katherine Kennedy Subject: Re: [IMail Forum] how do i determine what account has been compromised? > I have not found anything in the logs that indicate the account that > is authenticating to send the spam.... You should see "Authenticated $username, session treated as local." It also is helpful to run a script using a command-line POP3 client (I have used Getmail.exe) against all of your mailboxes to check for ($username == $password) or ($password == "password") or ($password == <other extremely obvious cases>). You can't apply much intelligence, but you can catch obvious vulnerabilities. Be sure to use command-line options to avoid retrieving any actual mail! --Sandy ------------------------------------ Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.imprimia.com/products/software/freeutils/SPAMC32/download/release / Defuse Dictionary Attacks: Turn Exchange or IMail mailboxes into IMail Aliases! http://www.imprimia.com/products/software/freeutils/exchange2aliases/downloa d/release/ http://www.imprimia.com/products/software/freeutils/ldap2aliases/download/re lease/ To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
