Users password compromised - How do I find out which one?

[buster@]

Someone is sending spam through my plesk server.

They are authenticating to the server:

Apr 5 06:34:37 plesk relaylock: /var/qmail/bin/relaylock: mail from 2xx.xxx.xxx.xxx:4056 (bb2xx-xxx-xxx-xxx.xxxxxxx.xxx.xx)

But for the life of me, I cannot find a way to find the user that authenticated.

Any tips or hints? If there isn't any way to look through the logs now, is there something I can setup to log what relaylock does. Just user and ip?


Thanks...

 

[buster@]

Found it... I was looking for the wrong thing..

 

[sakshale@]

Share with us the way you found it...

 

[buster@]

Apr 6 07:22:26 plesk smtp_auth: smtp_auth: SMTP user sales : /var/qmail/mailnames/domain.com/sales logged in from (bb2xx-xxx-xxx-xxx.xxxxxxx.xxx.xx) [2xx.xxx.xxx.xxx]

I just had to look for the lines like that.

So [email protected] was the culprit.

I was in a rush and looked right over them.

 

[carliebentley]

I'm curious where you found that log.

I'm curious where you found that log file, I would like to look for the same thing.

Thanks.

 

[buster@]

Plesk keeps the log file here: /usr/local/psa/var/log/maillog

 

[carliebentley]

Thanks, I found it after looking a little deeper.

That's an interesting log, I'm curious as to why it's not simply in /var/log, but the reasoning behind some of this is a little confusing anyway.

 

[atomicturtle]

It will log to /var/log/messages as well.

 

[carliebentley]

Thank ART,
I was pretty sure it would. It's just odd that the "out of the box" solution doesn't put all the logs in a central location.

But then again "logic" is something many developers lack. ;-)