Re: figuring out who sent email by squirrelmail

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

On Mon, Feb 28, 2011 at 8:43 AM, Paul Raines <raines@xxxxxxxxxxxxxxxxxxx> wrote:
> In trying to track down what account was being used to send spam
> via squirrelmail all I had was lines like this from /var/log/maillog
> Feb 27 18:12:15 mail sendmail[9844]: p1RNC9TS009844:
> from=<johngalvan@xxxxxxxxxxxxxxxxxxx>, size=1087, class=0, nrcpts=1,
> msgid=<4469.>,
> proto=ESMTP, daemon=MTA, relay=localhost.localdomain []
> Feb 27 18:12:15 mail sendmail[9844]: p1RNC9TS009844:
> to=<xxxxxx@xxxxxxxxxx>, delay=00:00:06, mailer=relay, pri=31087,
> stat=queued
> johngalvan is not a user on our system.  SO it was faked.  Is there now way
> from the msgid to figure out what logged in squirrelmail user sent this?

Aside from what has already been suggested, you also have an IP
address (and you can match it with your web logs).  If you aren't
comfortable handling this kind of situation, I suggest you re-think
having the option that allows users to change their email address
turned on.

> Eventually I was able to get an example of an actual spam message so I could
> see the full headers which shows the authorized squirrelmail user, but that
> took a long time to track down and meanwhile spam was still going out.
> Is there some plugin that would log information for auditing this kind
> of thing better?  I was supprised to find there is no log at all for
> squirrelmail by default that tracks logins or mail sent.  Can anyone
> recommend one?

An internet search with the two key words (SquirrelMail and
Log/Logging) would have turned up what you needed in mere seconds.

Paul Lesniewski
SquirrelMail Team
Please support Open Source Software by donating to SquirrelMail!

Free Software Download: Index, Search & Analyze Logs and other IT data in 
Real-Time with Splunk. Collect, index and harness all the fast moving IT data 
generated by your applications, servers and devices whether physical, virtual
or in the cloud. Deliver compliance at lower cost and gain new business 
squirrelmail-users mailing list
Posting guidelines:
List address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx
List archives:
List info (subscribe/unsubscribe/change options):

[Index of Archives]     [Video For Linux]     [Photo]     [Yosemite News]    [Yosemite Photos]    [Yosemite Book Store]     [gtk]     [KDE]     [Cyrus SASL]     [Gimp on Windows]     [Steve's Art]     [Webcams]     [Script Fu]