[BlueOnyx:17393] Re: Detecting compromised mail accounts

Ernie ernie at info.eis.net.au
Tue Mar 31 23:51:13 -05 2015


Hi Jeff,
you are not going to see much in the GUI, you have to be in the command
line, and use the mailq as root or sudo to see if a mass of spam is going
out, as a rule it will be choking the mail queue. Then you examine the
headers in /var/spool/mqueue to see who send the spam so you can figure out
the compromised user.

The most common cause is the user giving out their password in response to a
Phishing email, typicially pretending to be the server admin. 
Next would be a brute force attack on the smtp auth port.
Then a brute force attacks on the POP/IMAP username.


- Ernie.


[ Charset UTF-8 unsupported, converting... ]
> I had a vsite-user who's mail account creds were compromised and the
> account was being used to relay spam.  The user suspected the issue, I
> confirmed it in maillog and rotated their creds to stop the flow.
> 
> I was hoping to find a way in the GUI to identify potential issues like
> this in the future by identifying "top senders" and spent some time looking
> through the Usage Information > Email reports but was a bit confused by the
> numbers in that report (they look too low).
> 
> So I had a few questions which I'm hoping somebody can help with:
> 
> 1 - Is the  Usage Information > Email report the right place to find
> top-senders?
> 
> 2 - If it is, which specific sub-report is the one I should be looking at?
> 
> 3 - Why would the values in that report seem too small for my server's
> traffic (by an order of magnitude) for a defined reporting period?
> 
> Thanks!
> 
> Jeff

> _______________________________________________
> Blueonyx mailing list
> Blueonyx at mail.blueonyx.it
> http://mail.blueonyx.it/mailman/listinfo/blueonyx

-- 
"I Ping therefore I am."



More information about the Blueonyx mailing list