[BlueOnyx:04129] Re: ROUNDCUBE spam - how do I determine which account is sending it?

[Michael Stauber]

Hi Peter,

>  Is their anyway of working out which account has sent the email from
> roundcube? 

Yes. Check /var/log/maillog. RoundCube uses SMTP-Auth to authenticate against 
the MTA when it sends emails. So the username of the account sending the 
emails is logged.

Below is an example where user "admin" sent an Email via RoundCube:

1.) IMAP login of user "admin" as he logged into RoundCube:
Mar 24 15:12:19 cbx dovecot: imap-login: Login: user=<admin>, method=PLAIN, 
rip=127.0.0.1, lip=127.0.0.1, secured

2.) User "admin" sends a message:
Mar 24 15:12:20 cbx sendmail[26191]: STARTTLS=server, relay=localhost 
[127.0.0.1], version=TLSv1/SSLv3, verify=NO, cipher=DHE-RSA-AES256-SHA, 
bits=256/256
Mar 24 15:12:20 cbx sendmail[26191]: AUTH=server, relay=localhost [127.0.0.1], 
authid=admin, mech=PLAIN, bits=0

3.) Said message is being processed:
Mar 24 15:12:20 cbx milter-greylist: User admin authenticated, bypassing 
greylisting
Mar 24 15:12:20 cbx sendmail[26191]: o2OECJls026191: from=<admin at cbx.smd.net>, 
size=328, class=0, nrcpts=1, 
msgid=<70ccec4ead9588e9bde6ff1ab1832b66 at cbx.smd.net>, proto=ESMTP, daemon=MTA, 
relay=localhost [127.0.0.1]

So if you suspect RoundCube being the culprit (i.e.: user with weak password 
had his account details guessed and someone is now using the installed 
RoundCube with those details), then you could grep the maillog for these 
lines:

cat /var/log/maillog | grep "AUTH=server" |grep "authid="

That ought to list all SMTP-Auth'ed logins to Sendmail. If that also shows 
legitimate remote connections from dialup users, you may want to trim it down 
further to show only SMTP-Auth connections from localhost:

cat /var/log/maillog | grep "AUTH=server" |grep "authid=" |grep 
"relay=localhost"

Which should list only the RoundCube logins to SMTP-Auth.

-- 
With best regards

Michael Stauber