• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

webmail abuse tracking

E

EMerkel

New Pleskian
One of our Linux Plesk 11.0 servers is being used to send out spam via horde/webmail. Unfortunately, there are no identifiers like username etc in the email headers to identify what is being compromised to send out this emails. All I have been able to do is block the IP listed in the header but of course they change IP and come right back.

I've also looked in /var/log/psa-horde/psa-horde.log but I don't see anything that would allow to know what username is being used to send out the spams.

Does any else have any other hints on where to look to find the offender?

Thanks,
Eric
 
Take one of the IPs you have blocked and search the maillog file.
Search /usr/local/psa/var/log/maillog for the IP and read a few lines down.

You are looking for something like this:

Nov 5 05:42:52 server1 imapd: Connection, ip=[::ffff:127.0.0.1]
Nov 5 05:42:52 server1 imapd: LOGIN: DEBUG: ip=[::ffff:127.0.0.1], command=AUTHENTICATE
Nov 5 05:42:52 server1 imapd: auth_psa: starting client module
Nov 5 05:42:52 server1 imapd: cram: decoded challenge/response, username '[email protected]'
Nov 5 05:42:52 server1 imapd: IMAP connect from @ [::ffff:127.0.0.1]digascii: 8484c8484c8484c8484c, response: 8484c8484c8484c8484c
Nov 5 05:42:52 server1 imapd: cram validation succeeded
Nov 5 05:42:52 server1 imapd: auth_psa: ACCEPT, username [email protected]
Nov 5 05:42:52 server1 imapd: LOGIN, [email protected], ip=[::ffff:127.0.0.1], protocol=IMAP
 
CoreyT said:
Take one of the IPs you have blocked and search the maillog file.
Search /usr/local/psa/var/log/maillog for the IP and read a few lines down.

You are looking for something like this:

Nov 5 05:42:52 server1 imapd: Connection, ip=[::ffff:127.0.0.1]
Nov 5 05:42:52 server1 imapd: LOGIN: DEBUG: ip=[::ffff:127.0.0.1], command=AUTHENTICATE
Nov 5 05:42:52 server1 imapd: auth_psa: starting client module
Nov 5 05:42:52 server1 imapd: cram: decoded challenge/response, username '[email protected]'
Nov 5 05:42:52 server1 imapd: IMAP connect from @ [::ffff:127.0.0.1]digascii: 8484c8484c8484c8484c, response: 8484c8484c8484c8484c
Nov 5 05:42:52 server1 imapd: cram validation succeeded
Nov 5 05:42:52 server1 imapd: auth_psa: ACCEPT, username [email protected]
Nov 5 05:42:52 server1 imapd: LOGIN, [email protected], ip=[::ffff:127.0.0.1], protocol=IMAP
Click to expand...

All of the IMAP connections will always show as being from localhost 127.0.0.1 not the actual IP address that is posting messages to webmail. Is there any other logs that would successfully tie the webmail login ID to the IP address?

Is there a way to setup Horde to include the IP address of the sender in the email headers? Seems like that would make tracking down these issues easier.

Eric
 
You must log in or register to reply here.

Similar threads

S
Resolved How to obtain the IP of a webmail login
Replies
2
Views
110
SalvadorS
S
L
Question System Emails Marked as Spam
Replies
2
Views
271
Leighton Thompson
L
J
Issue Unable to Access Webmail through Plesk after service changed hands.
Replies
3
Views
2K
Peter Debik
P
Alex Presland
Issue Emails forwarded by Plesk fail DKIM checks with certain attachments
2
Replies
21
Views
2K
Alex Presland
Alex Presland
T
Input PES - make it useful to track reason for spam listing
Replies
0
Views
542
TomBoB
T
Back
Top