• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion
  • Inviting everyone to the UX test of a new security feature in the WP Toolkit
    For WordPress site owners, threats posed by hackers are ever-present. Because of this, we are developing a new security feature for the WP Toolkit. If the topic of WordPress website security is relevant to you, we would be grateful if you could share your experience and help us test the usability of this feature. We invite you to join us for a 1-hour online session via Google Meet. Select a convenient meeting time with our friendly UX staff here.

webmail abuse tracking

E

EMerkel

New Pleskian
One of our Linux Plesk 11.0 servers is being used to send out spam via horde/webmail. Unfortunately, there are no identifiers like username etc in the email headers to identify what is being compromised to send out this emails. All I have been able to do is block the IP listed in the header but of course they change IP and come right back.

I've also looked in /var/log/psa-horde/psa-horde.log but I don't see anything that would allow to know what username is being used to send out the spams.

Does any else have any other hints on where to look to find the offender?

Thanks,
Eric
 
Take one of the IPs you have blocked and search the maillog file.
Search /usr/local/psa/var/log/maillog for the IP and read a few lines down.

You are looking for something like this:

Nov 5 05:42:52 server1 imapd: Connection, ip=[::ffff:127.0.0.1]
Nov 5 05:42:52 server1 imapd: LOGIN: DEBUG: ip=[::ffff:127.0.0.1], command=AUTHENTICATE
Nov 5 05:42:52 server1 imapd: auth_psa: starting client module
Nov 5 05:42:52 server1 imapd: cram: decoded challenge/response, username '[email protected]'
Nov 5 05:42:52 server1 imapd: IMAP connect from @ [::ffff:127.0.0.1]digascii: 8484c8484c8484c8484c, response: 8484c8484c8484c8484c
Nov 5 05:42:52 server1 imapd: cram validation succeeded
Nov 5 05:42:52 server1 imapd: auth_psa: ACCEPT, username [email protected]
Nov 5 05:42:52 server1 imapd: LOGIN, [email protected], ip=[::ffff:127.0.0.1], protocol=IMAP
 
CoreyT said:
Take one of the IPs you have blocked and search the maillog file.
Search /usr/local/psa/var/log/maillog for the IP and read a few lines down.

You are looking for something like this:

Nov 5 05:42:52 server1 imapd: Connection, ip=[::ffff:127.0.0.1]
Nov 5 05:42:52 server1 imapd: LOGIN: DEBUG: ip=[::ffff:127.0.0.1], command=AUTHENTICATE
Nov 5 05:42:52 server1 imapd: auth_psa: starting client module
Nov 5 05:42:52 server1 imapd: cram: decoded challenge/response, username '[email protected]'
Nov 5 05:42:52 server1 imapd: IMAP connect from @ [::ffff:127.0.0.1]digascii: 8484c8484c8484c8484c, response: 8484c8484c8484c8484c
Nov 5 05:42:52 server1 imapd: cram validation succeeded
Nov 5 05:42:52 server1 imapd: auth_psa: ACCEPT, username [email protected]
Nov 5 05:42:52 server1 imapd: LOGIN, [email protected], ip=[::ffff:127.0.0.1], protocol=IMAP
Click to expand...

All of the IMAP connections will always show as being from localhost 127.0.0.1 not the actual IP address that is posting messages to webmail. Is there any other logs that would successfully tie the webmail login ID to the IP address?

Is there a way to setup Horde to include the IP address of the sender in the email headers? Seems like that would make tracking down these issues easier.

Eric
 
You must log in or register to reply here.

Similar threads

S
Resolved How to obtain the IP of a webmail login
Replies
2
Views
153
SalvadorS
S
L
Question System Emails Marked as Spam
Replies
2
Views
308
Leighton Thompson
L
J
Issue Unable to Access Webmail through Plesk after service changed hands.
Replies
3
Views
2K
Peter Debik
P
Alex Presland
Issue Emails forwarded by Plesk fail DKIM checks with certain attachments
2
Replies
21
Views
2K
Alex Presland
Alex Presland
T
Input PES - make it useful to track reason for spam listing
Replies
0
Views
549
TomBoB
T
Back
Top