On 03/Mar/11 04:20, Mark Constable wrote:
We just had 2 accounts compromised and used for sending out a ton of
spam, one I found because an irate recipient sent back a complaint
which included the headers and the AUTH: LOGIN details.
That only has the user's name, not the password. It is in
It would hugely help trying to match up who is logging in if the
IP appeared on this line...
Mar 2 14:07:22 mail authdaemond: received auth request, service=esmtp,
authtype=login
for example...
Mar 2 14:07:22 mail authdaemond: received auth request from 12.34.56.78,
service=esmtp,
Mark Constable writes:
It would hugely help trying to match up who is logging in if the
IP appeared on this line...
Mar 2 14:07:22 mail authdaemond: received auth request, service=esmtp,
authtype=login
for example...
Mar 2 14:07:22 mail authdaemond: received auth request from 12.34.56.78,
On 03/03/11, Sam Varshavchik wrote:
authdaemond: received auth request, service=esmtp, authtype=login
authdaemond: received auth request from 12.34.56.78, service=esmtp,
authtype=login
This is logged by authdaemond.
This requires a non-trivial amount of work, since authdaemond knows