What version of Imail are you using? Earlier than 7 I think. John T
> -----Original Message----- > From: [EMAIL PROTECTED] [mailto:Imail_Forum- > [EMAIL PROTECTED] On Behalf Of Katherine Kennedy > Sent: Tuesday, July 17, 2007 1:37 PM > To: [email protected] > Subject: RE: [IMail Forum] how do i determine what account has been > compromised? > > How do you tie this: > > 07:17 03:40 SMTPD(000005F8) Authenticated [EMAIL PROTECTED], session > treated as > local > > To this?? > > 07:17 03:40 SMTPD(3A68012A) [xxx.xxx.xxx.xxx] connect 194.177.96.73 > port > 3681 > 07:17 03:40 SMTPD(3A68012A) [194.177.96.73] MAIL > FROM:<[EMAIL PROTECTED]> > 07:17 03:40 SMTPD(3A68012A) [194.177.96.73] RCPT > TO:<[EMAIL PROTECTED]> > 07:17 03:40 SMTPD(3A68012A) [194.177.96.73] EHLO User > 07:17 03:40 SMTPD(3A68012A) [194.177.96.73] > D:\IMail\spool\D9c983a68012a3c75.SMD 1687 > 07:17 03:40 SMTP-(00000000) Info - Adding Queue file > D:\IMail\spool\Q9c983a68012a3c75.SMD > 07:17 03:40 SMTP-(0758F266) processing > D:\IMail\spool\Q9c983a68012a3c75.SMD > > What am I missing? > > Thanks, K > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Sanford > Whiteman > Sent: Tuesday, July 17, 2007 1:25 PM > To: Katherine Kennedy > Subject: Re: [IMail Forum] how do i determine what account has been > compromised? > > > I have not found anything in the logs that indicate the account that > > is authenticating to send the spam.... > > You should see "Authenticated $username, session treated as local." > > It also is helpful to run a script using a command-line POP3 client (I > have used Getmail.exe) against all of your mailboxes to check for > ($username == $password) or ($password == "password") or ($password == > <other extremely obvious cases>). You can't apply much intelligence, > but you can catch obvious vulnerabilities. Be sure to use command-line > options to avoid retrieving any actual mail! > > --Sandy > > > ------------------------------------ > Sanford Whiteman, Chief Technologist > Broadleaf Systems, a division of > Cypress Integrated Systems, Inc. > e-mail: [EMAIL PROTECTED] > > SpamAssassin plugs into Declude! > > http://www.imprimia.com/products/software/freeutils/SPAMC32/download/re > lease > / > > Defuse Dictionary Attacks: Turn Exchange or IMail mailboxes into IMail > Aliases! > > http://www.imprimia.com/products/software/freeutils/exchange2aliases/do > wnloa > d/release/ > > http://www.imprimia.com/products/software/freeutils/ldap2aliases/downlo > ad/re > lease/ > > To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html > List Archive: http://www.mail- > archive.com/imail_forum%40list.ipswitch.com/ > Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ > > To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html > List Archive: http://www.mail- > archive.com/imail_forum%40list.ipswitch.com/ > Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
