Hi all. Im not sure this is the right ML so if it is not I apologize and please point me in the right direction. Thanks!

I have a qmail server (qmail, vpopmail-no mysql). I have ssome 500 client email accounts distributed over some 30 domain names. Im having serious SPAM problems in the sense that some spammer is using legit username/pw combinatioss to authenticate and send his/her garbage. I cant , for the life of me, determine which accounts are suspect or are compromised. On my system, mail.log (/var/log/mail/ log) provides good info for pop and spamd activity, showing what user a pop connection is opened and closed for like so:


Feb 21 14:48:57 sjo pop3d: Connection, ip=[::ffff:190.10.14.44]
Feb 21 14:48:57 sjo pop3d: LOGIN, [EMAIL PROTECTED], ip= [::ffff:190.10.14.44] Feb 21 14:48:57 sjo pop3d: LOGOUT, [EMAIL PROTECTED], ip= [::ffff:190.10.14.44], top=0, retr=0, rcvd=12, sent=39, time=0

Since I am interested in smtp though, I look at /var/log/qmail/smtpd/ current and find that the info only tells me the connecting IP, target IP and stasus info:

@4000000045dccd01188edb8c tcpserver: pid 4555 from 82.237.85.167
@4000000045dccd01188ffc9c tcpserver: ok 4555 sjo.sinapsisglobal.com: 66.228.222.190:25 :82.237.85.167::4430
@4000000045dccd020d221944 tcpserver: end 4551 status 0
@4000000045dccd020d2228e4 tcpserver: status: 12/120
@4000000045dccd021e11902c tcpserver: end 4555 status 256

Is there any way to configure the smtp log to show which account is being logged in or auth'ed to send, sort of like what the pop log shows?

Any help will be immensely appreciated.

Max

Reply via email to