Raul_Soporte
New Pleskian
Hello there:
I'm using Parallels Plesk Panel v11.5.30_build115130819.13 os_CentOS 6 (6.6) on GenuineIntel, Intel(R) Xeon(R) CPU E3-1270 V2 @ 3.50GHz
My server works with the Postfix mail server and I need to identify who sent a forged message within the /usr/local/psa/var/log/maillog file
Usually it's very easy as the senders are identified in that log file like in this example:
Log line #1
Feb 25 08:30:50 hostname postfix/smtpd[13861]: A71AD3980181: client=localhost.localdomain[127.0.0.1], sasl_method=DIGEST-MD5, sasl_username=a_real_user@some_of_my_hosted_domains.com
instead I see this in the log
Log line #2
Feb 25 09:30:52 hostname postfix/smtpd[546]: 1F77539800C3: client=localhost.localdomain[127.0.0.1]
that is, there's no "sasl_method=DIGEST-MD5, sasl_username=" string and later I can see how the 1F77539800C3 message was actually processed and attempted to be sent by reading the rest of the maillog file:
Feb 25 09:30:52 hostname postfix/cleanup[31540]: 1F77539800C3: message-id=<523161.1857.7397.JavaMail.wsadmin@some_other_domain_not_hosted.com>
Feb 25 09:30:42 hostname postfix/qmgr[16475]: 1F77539800C3: from=<unkwnown_user@some_other_domain_not_hosted.com>, size=7401, nrcpt=1 (queue active)
Feb 28 09:39:42 hostname postfix/smtp[581]: 1F77539800C3: host receiving_spammed_host[a.b.c.d] refused to talk to me
What could be wrong? Why are log lines #1 and #2 entries are so different?
I need to identify if there's an exploited account.
Best Regards
Raul
I'm using Parallels Plesk Panel v11.5.30_build115130819.13 os_CentOS 6 (6.6) on GenuineIntel, Intel(R) Xeon(R) CPU E3-1270 V2 @ 3.50GHz
My server works with the Postfix mail server and I need to identify who sent a forged message within the /usr/local/psa/var/log/maillog file
Usually it's very easy as the senders are identified in that log file like in this example:
Log line #1
Feb 25 08:30:50 hostname postfix/smtpd[13861]: A71AD3980181: client=localhost.localdomain[127.0.0.1], sasl_method=DIGEST-MD5, sasl_username=a_real_user@some_of_my_hosted_domains.com
instead I see this in the log
Log line #2
Feb 25 09:30:52 hostname postfix/smtpd[546]: 1F77539800C3: client=localhost.localdomain[127.0.0.1]
that is, there's no "sasl_method=DIGEST-MD5, sasl_username=" string and later I can see how the 1F77539800C3 message was actually processed and attempted to be sent by reading the rest of the maillog file:
Feb 25 09:30:52 hostname postfix/cleanup[31540]: 1F77539800C3: message-id=<523161.1857.7397.JavaMail.wsadmin@some_other_domain_not_hosted.com>
Feb 25 09:30:42 hostname postfix/qmgr[16475]: 1F77539800C3: from=<unkwnown_user@some_other_domain_not_hosted.com>, size=7401, nrcpt=1 (queue active)
Feb 28 09:39:42 hostname postfix/smtp[581]: 1F77539800C3: host receiving_spammed_host[a.b.c.d] refused to talk to me
What could be wrong? Why are log lines #1 and #2 entries are so different?
I need to identify if there's an exploited account.
Best Regards
Raul