1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

Users password compromised - How do I find out which one?

Discussion in 'Plesk for Linux - 8.x and Older' started by buster@, Apr 5, 2007.

  1. buster@

    buster@ Guest

    Someone is sending spam through my plesk server.

    They are authenticating to the server:

    Apr 5 06:34:37 plesk relaylock: /var/qmail/bin/relaylock: mail from 2xx.xxx.xxx.xxx:4056 (bb2xx-xxx-xxx-xxx.xxxxxxx.xxx.xx)

    But for the life of me, I cannot find a way to find the user that authenticated.

    Any tips or hints? If there isn't any way to look through the logs now, is there something I can setup to log what relaylock does. Just user and ip?

  2. buster@

    buster@ Guest

    Found it... I was looking for the wrong thing..
  3. sakshale@

    sakshale@ Guest

    Share with us the way you found it...
  4. buster@

    buster@ Guest

    Apr 6 07:22:26 plesk smtp_auth: smtp_auth: SMTP user sales : /var/qmail/mailnames/domain.com/sales logged in from (bb2xx-xxx-xxx-xxx.xxxxxxx.xxx.xx) [2xx.xxx.xxx.xxx]

    I just had to look for the lines like that.

    So sales@domain.com was the culprit.

    I was in a rush and looked right over them.
  5. carliebentley

    carliebentley Guest

    I'm curious where you found that log.

    I'm curious where you found that log file, I would like to look for the same thing.

  6. buster@

    buster@ Guest

    Plesk keeps the log file here: /usr/local/psa/var/log/maillog
  7. carliebentley

    carliebentley Guest

    Thanks, I found it after looking a little deeper.

    That's an interesting log, I'm curious as to why it's not simply in /var/log, but the reasoning behind some of this is a little confusing anyway.
  8. atomicturtle

    atomicturtle Golden Pleskian

    Nov 20, 2002
    Likes Received:
    Washington, DC
    It will log to /var/log/messages as well.
  9. carliebentley

    carliebentley Guest

    Thank ART,
    I was pretty sure it would. It's just odd that the "out of the box" solution doesn't put all the logs in a central location.

    But then again "logic" is something many developers lack. ;-)