Results 1 to 4 of 4

Thread: Verbose smtp logging to determine compromised account

  1. #1
    Join Date
    Jun 2010
    Posts
    2
    Rep Power
    5

    Cool Verbose smtp logging to determine compromised account

    We are running Zimbra 6.05 NE and need to turn on verbose SMTP logging to determine a compromised user account that is being used for spamming. Unless, someone has a better method of determining this.

    Any help is much appreciated.

  2. #2
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    24

    Default

    Welcome to the forums

    This code snippet should help to find which user is sending lots of emails
    Code:
    cat /var/log/zimbra.log | sed -n "s/.*from=<\(.*\)@yourdomain.com>.*/\1/p" | uniq -c

  3. #3
    Join Date
    Jun 2010
    Posts
    2
    Rep Power
    5

    Default

    Thanks I appreciate it.

    In the case of a compromised account the from address can be spoofed once authenticated. Isn't this the case?

  4. #4
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    24

    Default

    Depends on whether they are changing the headers or not. Give this a go as it should show better information
    Code:
    cat /opt/zimbra/log/mailbox.log | sed -n 's/.*SendMsgRequest.*name=\(.*\)@yourdomain.com;mid=.*;ip=\(.*\);ua=.*Adding Message.*/\1,\2/p'

Similar Threads

  1. zmmailboxd keep crashing since 2h ...
    By Eno in forum Administrators
    Replies: 0
    Last Post: 06-03-2010, 01:24 PM
  2. Account specific SMTP host names
    By chamann in forum Installation
    Replies: 2
    Last Post: 05-03-2010, 02:14 AM
  3. Possible SMTP DoS attack?
    By sparky in forum Administrators
    Replies: 14
    Last Post: 02-12-2010, 03:21 AM
  4. SMTP transaction logging
    By olliemaitland in forum Administrators
    Replies: 0
    Last Post: 07-11-2008, 05:02 AM
  5. need advice on configuring zimbra to work with fax server
    By pheonix1t in forum Administrators
    Replies: 0
    Last Post: 07-11-2007, 07:46 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •