• Introducing WebPros Cloud - a fully managed infrastructure platform purpose-built to simplify the deployment of WebPros products !  WebPros Cloud enables you to easily deliver WebPros solutions — without the complexity of managing the infrastructure.
    Join the pilot program today!
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.

webmail abuse tracking

E

EMerkel

New Pleskian
One of our Linux Plesk 11.0 servers is being used to send out spam via horde/webmail. Unfortunately, there are no identifiers like username etc in the email headers to identify what is being compromised to send out this emails. All I have been able to do is block the IP listed in the header but of course they change IP and come right back.

I've also looked in /var/log/psa-horde/psa-horde.log but I don't see anything that would allow to know what username is being used to send out the spams.

Does any else have any other hints on where to look to find the offender?

Thanks,
Eric
 
Take one of the IPs you have blocked and search the maillog file.
Search /usr/local/psa/var/log/maillog for the IP and read a few lines down.

You are looking for something like this:

Nov 5 05:42:52 server1 imapd: Connection, ip=[::ffff:127.0.0.1]
Nov 5 05:42:52 server1 imapd: LOGIN: DEBUG: ip=[::ffff:127.0.0.1], command=AUTHENTICATE
Nov 5 05:42:52 server1 imapd: auth_psa: starting client module
Nov 5 05:42:52 server1 imapd: cram: decoded challenge/response, username '[email protected]'
Nov 5 05:42:52 server1 imapd: IMAP connect from @ [::ffff:127.0.0.1]digascii: 8484c8484c8484c8484c, response: 8484c8484c8484c8484c
Nov 5 05:42:52 server1 imapd: cram validation succeeded
Nov 5 05:42:52 server1 imapd: auth_psa: ACCEPT, username [email protected]
Nov 5 05:42:52 server1 imapd: LOGIN, [email protected], ip=[::ffff:127.0.0.1], protocol=IMAP
 
CoreyT said:
Take one of the IPs you have blocked and search the maillog file.
Search /usr/local/psa/var/log/maillog for the IP and read a few lines down.

You are looking for something like this:

Nov 5 05:42:52 server1 imapd: Connection, ip=[::ffff:127.0.0.1]
Nov 5 05:42:52 server1 imapd: LOGIN: DEBUG: ip=[::ffff:127.0.0.1], command=AUTHENTICATE
Nov 5 05:42:52 server1 imapd: auth_psa: starting client module
Nov 5 05:42:52 server1 imapd: cram: decoded challenge/response, username '[email protected]'
Nov 5 05:42:52 server1 imapd: IMAP connect from @ [::ffff:127.0.0.1]digascii: 8484c8484c8484c8484c, response: 8484c8484c8484c8484c
Nov 5 05:42:52 server1 imapd: cram validation succeeded
Nov 5 05:42:52 server1 imapd: auth_psa: ACCEPT, username [email protected]
Nov 5 05:42:52 server1 imapd: LOGIN, [email protected], ip=[::ffff:127.0.0.1], protocol=IMAP
Click to expand...

All of the IMAP connections will always show as being from localhost 127.0.0.1 not the actual IP address that is posting messages to webmail. Is there any other logs that would successfully tie the webmail login ID to the IP address?

Is there a way to setup Horde to include the IP address of the sender in the email headers? Seems like that would make tracking down these issues easier.

Eric
 
You must log in or register to reply here.

Similar threads

enerspace
Question Bounce emails end up in spam – DMARC triggered on local deliveries?
Replies
0
Views
376
enerspace
enerspace
isotophe
Question Duplicate Roundcube installation / getting a second Roundcube to run
Replies
5
Views
769
isotophe
isotophe
F
Issue SOGo - emails sent from webmail, both manually created and autoresponder/vacation/out-of-office, are rejected. They miss spf, dkim, dmarc, everything
Replies
1
Views
716
Farfalk
F
A
Question Alternative ways to forward emails
Replies
2
Views
911
Aslanj
A
S
Resolved How to obtain the IP of a webmail login
Replies
2
Views
1K
SalvadorS
S
Back
Top