Hi there, You can configure vpopmail logging (compile time only, as far as I know), which then will show you various information depending on the level you have chosen.
Stoyan On Wed, 2007-02-21 at 16:56 -0600, Max Esquivel wrote: > Hi all. Im not sure this is the right ML so if it is not I apologize > and please point me in the right direction. Thanks! > > I have a qmail server (qmail, vpopmail-no mysql). I have ssome 500 > client email accounts distributed over some 30 domain names. Im > having serious SPAM problems in the sense that some spammer is using > legit username/pw combinatioss to authenticate and send his/her > garbage. I cant , for the life of me, determine which accounts are > suspect or are compromised. On my system, mail.log (/var/log/mail/ > log) provides good info for pop and spamd activity, showing what user > a pop connection is opened and closed for like so: > > Feb 21 14:48:57 sjo pop3d: Connection, ip=[::ffff:190.10.14.44] > Feb 21 14:48:57 sjo pop3d: LOGIN, [EMAIL PROTECTED], ip= > [::ffff:190.10.14.44] > Feb 21 14:48:57 sjo pop3d: LOGOUT, [EMAIL PROTECTED], ip= > [::ffff:190.10.14.44], top=0, retr=0, rcvd=12, sent=39, time=0 > > Since I am interested in smtp though, I look at /var/log/qmail/smtpd/ > current and find that the info only tells me the connecting IP, > target IP and stasus info: > > @4000000045dccd01188edb8c tcpserver: pid 4555 from 82.237.85.167 > @4000000045dccd01188ffc9c tcpserver: ok 4555 sjo.sinapsisglobal.com: > 66.228.222.190:25 :82.237.85.167::4430 > @4000000045dccd020d221944 tcpserver: end 4551 status 0 > @4000000045dccd020d2228e4 tcpserver: status: 12/120 > @4000000045dccd021e11902c tcpserver: end 4555 status 256 > > Is there any way to configure the smtp log to show which account is > being logged in or auth'ed to send, sort of like what the pop log shows? > > Any help will be immensely appreciated. > > Max