[BlueOnyx:04131] Re: ROUNDCUBE spam - how do I determine which account is sending it?

Peter Robbins - Bridgewater Software pete at bridgewater.it
Wed Mar 24 10:17:25 -05 2010 

Michael,

you are a star - found the culprit.  A client who is a siteadmin had 
setup a user on BQ before we moved up to BX.  This user account had a 
very simple password.

found account and removed.

cheers
pete


On 24/03/2010 14:21, Michael Stauber wrote:
> Hi Peter,
>
>    
>>   Is their anyway of working out which account has sent the email from
>> roundcube?
>>      
> Yes. Check /var/log/maillog. RoundCube uses SMTP-Auth to authenticate against
> the MTA when it sends emails. So the username of the account sending the
> emails is logged.
>
> Below is an example where user "admin" sent an Email via RoundCube:
>
> 1.) IMAP login of user "admin" as he logged into RoundCube:
> Mar 24 15:12:19 cbx dovecot: imap-login: Login: user=<admin>, method=PLAIN,
> rip=127.0.0.1, lip=127.0.0.1, secured
>
> 2.) User "admin" sends a message:
> Mar 24 15:12:20 cbx sendmail[26191]: STARTTLS=server, relay=localhost
> [127.0.0.1], version=TLSv1/SSLv3, verify=NO, cipher=DHE-RSA-AES256-SHA,
> bits=256/256
> Mar 24 15:12:20 cbx sendmail[26191]: AUTH=server, relay=localhost [127.0.0.1],
> authid=admin, mech=PLAIN, bits=0
>
> 3.) Said message is being processed:
> Mar 24 15:12:20 cbx milter-greylist: User admin authenticated, bypassing
> greylisting
> Mar 24 15:12:20 cbx sendmail[26191]: o2OECJls026191: from=<admin at cbx.smd.net>,
> size=328, class=0, nrcpts=1,
> msgid=<70ccec4ead9588e9bde6ff1ab1832b66 at cbx.smd.net>, proto=ESMTP, daemon=MTA,
> relay=localhost [127.0.0.1]
>
> So if you suspect RoundCube being the culprit (i.e.: user with weak password
> had his account details guessed and someone is now using the installed
> RoundCube with those details), then you could grep the maillog for these
> lines:
>
> cat /var/log/maillog | grep "AUTH=server" |grep "authid="
>
> That ought to list all SMTP-Auth'ed logins to Sendmail. If that also shows
> legitimate remote connections from dialup users, you may want to trim it down
> further to show only SMTP-Auth connections from localhost:
>
> cat /var/log/maillog | grep "AUTH=server" |grep "authid=" |grep
> "relay=localhost"
>
> Which should list only the RoundCube logins to SMTP-Auth.
>
>

More information about the Blueonyx mailing list