Someone is sending spam through an authenticated account on my server. Help.

[zer0state]

Hello,

Someone is sending spam via my SMTP server , they are authenticating and using one of my clients email accounts (this much i have confirmed). Since qmail logging sucks how one earth am i suppose to figure out which account has been compromised? Thankfully i'm running qmail-scanner which quarantined the phishing spam that was being sent out.

Short of changing all of my customer email account passwords i don't know what to do.

I'm running plesk 8 RHES 3

Any suggestions would be greatly appreciated.

 

[jwdick]

check which user account is sending the most mails:

cat -n /usr/local/psa/var/log/maillog | grep "SMTP user" | less

That should give you a start.

 

[rs232]

Do you have access to the email files? You should be able to tell where they are coming from by looking at the headers. If you post a couple I can take a look.