[Postfix] Log Outgoing Emails to Source Spam Problem

[Christopher McBride]

Hi,

My server has recently seen a drop in IP reputation, which has led me to investigate legitimate email accounts being compromised on my server.

I know the server isnt acting as a relay and can only assume either a script on the server or an email account is being unknowingly abused to send out mass emails.


I'm looking to get a list of all emails originating from the server and the account they were sent by.


I believe this is farily straight forward with Qmail (and the qmail-scanner), but I've been unable to find anything on the internet or these forums regarding the same for Postfix.


I've been manually looking through the mail logs, but I can't seem to figure out where the "sent" messages slot into it.



Can anyone offer any advice on this?


Thanks in advance.

 

[Christopher McBride]

Is anyone able to offer any advice?

I've downloaded many "log analyzers", but they don't seem to be providing me the data I need.


Can anyone confirm 1) If outgoing mail is logged and 2) is that logged in /usr/local/psa/var/log/maillog



Thanks

 

[IgorG]

/usr/local/psa/var/log/maillog is only one maillog in Plesk.

 

[Christopher McBride]

Thanks Igor, can you help me out to figure out which line(s) in particular I should be looking out for - showing an outgoing mail being sent?

Ideally with sender and recipient's addresses on it.


Thanks

 

[tomaton]

Is anyone able to offer any advice?

I've downloaded many "log analyzers", but they don't seem to be providing me the data I need.


Can anyone confirm 1) If outgoing mail is logged and 2) is that logged in /usr/local/psa/var/log/maillog



Thanks

i'm not as much advanced in analyzers, but which ones have you tried?

 

[mlgunner]

Spammers and easy passwords in plesk

What I have noticed, is when there is a problem with spammers it is usually not the users on your system that are doing it.
Its how you have set up the SMTP Authorization on your system.
Because users will almost always use easily guessable passwords, it is not a good idea to use the short username logins for mail. A spammer will guess the password for some well used email "names" like 'info' or 'admin' or 'sales' or support' etc., and use that to pour thousands of emails through your system using that. The best way to avoid that, since spammers usually only do the IP address of the mail server and not the domain name, is to require the fully qualified email address as the username to log in to send mail: i.e. '[email protected]'.
Also if you use the command line in linux, the best way to find all of the passwords for your email users is to:

# mysql -uadmin -p psa -e "select CONCAT(mail_name,\"@\",name) as email_address, substring(accounts.password, '1') as password from mail left join domains on domains.id=mail.dom_id left join accounts on accounts.id=mail.account_id;"

That will give you a list of email addresses and their passwords. if you want to just check one domain at a time add "where name='domain-name.com'" on the end before the semi-colon.

This way you can check and see who has easy passwords on you system and get them to change them.