The submission entries outside the US could very well be from hacked accounts.
I'm finding a surprising number of compromised accounts (once a week?), including users with good passwords, so I have to assume they're snooped on public wireless, or their computers are compromised by malware of some sort. The vckpw-smtp entries from outside the US are probably also hacked accounts, since mail received from remote servers doesn't include authentication. Sorry I wasn't thinking clearly in my previous response -- I forgot these were vchkpw entries and are only related to authentication. I was thinking about qmail logs. -Tom On Mar 4, 2014, at 10:43 PM, LHTek wrote: > Thanks for the reply. > > NOTE: None of my users will have sent anything from outside the US. > > I've got some log entries for vchkpw-submission (marked as successful in the > log) with non-US IP's (Russia, Egypt, Honk Kong, etc). In my analysis I'm > marking those entries as hacked accounts. > > From what I read from your response, vchkpw-smtp (marked as successful in the > log) entries could be mail sent TO my server FROM another server on port 25. > That tells me those are probably safe submissions - even if they are from > overseas IPs. Am I thinking correctly? > > > > > From: Tom Collins <t...@tomlogic.com> > To: vchkpw@inter7.com > Sent: Wednesday, March 5, 2014 12:02 AM > Subject: Re: [vchkpw] Qmail maillog vchkpw-submission vs vchkpw-smtp > > vchkpw-submission is on port 587, and is typically used for emai clients > relaying mail. It's often set up to require authentication. > > vchkpw-smtp is on port 25, and can be used for email clients to relay mail, > or by other servers delivering mail to your server. > > -Tom > > > On Mar 4, 2014, at 9:41 PM, LHTek wrote: > >> In the /var/log/maillog file what is the difference between these 2 entries >> (vchkpw-submission, vchkpw-smtp)? >> >> example: >> Mar 4 17:27:03 michael vpopmail[14701]: vchkpw-submission: (PLAIN) login >> success t...@domain.com:64.185.3.238 >> Mar 4 10:54:42 michael vpopmail[29027]: vchkpw-smtp: (PLAIN) login success >> t...@domain.com:64.57.239.114 >> >> > > > > !DSPAM:5316cae034263249811152!