[SM-USERS] figuring out who sent email by squirrelmail
In trying to track down what account was being used to send spam via squirrelmail all I had was lines like this from /var/log/maillog Feb 27 18:12:15 mail sendmail[9844]: p1RNC9TS009844: from=, size=1087, class=0, nrcpts=1, msgid=<4469.120.140.74.254.1298645519.squir...@mail.nmr.mgh.harvard.edu>, proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1] Feb 27 18:12:15 mail sendmail[9844]: p1RNC9TS009844: to=, delay=00:00:06, mailer=relay, pri=31087, stat=queued johngalvan is not a user on our system. SO it was faked. Is there now way from the msgid to figure out what logged in squirrelmail user sent this? Eventually I was able to get an example of an actual spam message so I could see the full headers which shows the authorized squirrelmail user, but that took a long time to track down and meanwhile spam was still going out. Is there some plugin that would log information for auditing this kind of thing better? I was supprised to find there is no log at all for squirrelmail by default that tracks logins or mail sent. Can anyone recommend one? Thanks -- --- Paul Rainesemail: raines at nmr.mgh.harvard.edu MGH/MIT/HMS Athinoula A. Martinos Center for Biomedical Imaging 149 (2301) 13th Street Charlestown, MA 02129USA The information in this e-mail is intended only for the person to whom it is addressed. If you believe this e-mail was sent to you in error and the e-mail contains patient information, please contact the Partners Compliance HelpLine at http://www.partners.org/complianceline . If the e-mail was sent to you in error but does not contain patient information, please contact the sender and properly dispose of the e-mail. -- Free Software Download: Index, Search & Analyze Logs and other IT data in Real-Time with Splunk. Collect, index and harness all the fast moving IT data generated by your applications, servers and devices whether physical, virtual or in the cloud. Deliver compliance at lower cost and gain new business insights. http://p.sf.net/sfu/splunk-dev2dev - squirrelmail-users mailing list Posting guidelines: http://squirrelmail.org/postingguidelines List address: squirrelmail-users@lists.sourceforge.net List archives: http://news.gmane.org/gmane.mail.squirrelmail.user List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
Re: [SM-USERS] figuring out who sent email by squirrelmail
Paul Raines wrote: > > > In trying to track down what account was being used to send spam > via squirrelmail all I had was lines like this from /var/log/maillog > > Feb 27 18:12:15 mail sendmail[9844]: p1RNC9TS009844: > from=, size=1087, class=0, nrcpts=1, > msgid=<4469.120.140.74.254.1298645519.squir...@mail.nmr.mgh.harvard.edu>, > proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1] > Feb 27 18:12:15 mail sendmail[9844]: p1RNC9TS009844: > to=, delay=00:00:06, mailer=relay, pri=31087, > stat=queued > > johngalvan is not a user on our system. SO it was faked. Is there now > way > from the msgid to figure out what logged in squirrelmail user sent this? > > Eventually I was able to get an example of an actual spam message so I > could > see the full headers which shows the authorized squirrelmail user, but > that > took a long time to track down and meanwhile spam was still going out. > > Is there some plugin that would log information for auditing this kind > of thing better? I was supprised to find there is no log at all for > squirrelmail by default that tracks logins or mail sent. Can anyone > recommend one? > Stop queue processing and check data in mail queue. SquirrelMail stores user information in email headers. Check user preferences. Maybe spammer forgot to reset signature and email address in .pref files. -- View this message in context: http://old.nabble.com/figuring-out-who-sent-email-by-squirrelmail-tp31042907p31044007.html Sent from the squirrelmail-users mailing list archive at Nabble.com. -- Free Software Download: Index, Search & Analyze Logs and other IT data in Real-Time with Splunk. Collect, index and harness all the fast moving IT data generated by your applications, servers and devices whether physical, virtual or in the cloud. Deliver compliance at lower cost and gain new business insights. http://p.sf.net/sfu/splunk-dev2dev - squirrelmail-users mailing list Posting guidelines: http://squirrelmail.org/postingguidelines List address: squirrelmail-users@lists.sourceforge.net List archives: http://news.gmane.org/gmane.mail.squirrelmail.user List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
Re: [SM-USERS] figuring out who sent email by squirrelmail
> In trying to track down what account was being used to send spam > via squirrelmail all I had was lines like this from /var/log/maillog > > Feb 27 18:12:15 mail sendmail[9844]: p1RNC9TS009844: > from=, size=1087, class=0, nrcpts=1, > msgid=<4469.120.140.74.254.1298645519.squir...@mail.nmr.mgh.harvard.edu>, > proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1] > Feb 27 18:12:15 mail sendmail[9844]: p1RNC9TS009844: > to=, delay=00:00:06, mailer=relay, pri=31087, > stat=queued > > johngalvan is not a user on our system. SO it was faked. Is there now > way > from the msgid to figure out what logged in squirrelmail user sent this? > > Eventually I was able to get an example of an actual spam message so I > could > see the full headers which shows the authorized squirrelmail user, but > that > took a long time to track down and meanwhile spam was still going out. > > Is there some plugin that would log information for auditing this kind > of thing better? I was supprised to find there is no log at all for > squirrelmail by default that tracks logins or mail sent. Can anyone > recommend one? I use Squirrel Logger: http://www.squirrelmail.org/plugin_view.php?id=52 I have mine logging to a PostgreSQL database, and I hacked on the show_stats.php file a bit to present the data in the way I like. Benny -- "Hairy ape nads."-- Colleen, playing Neverwinter Nights -- Free Software Download: Index, Search & Analyze Logs and other IT data in Real-Time with Splunk. Collect, index and harness all the fast moving IT data generated by your applications, servers and devices whether physical, virtual or in the cloud. Deliver compliance at lower cost and gain new business insights. http://p.sf.net/sfu/splunk-dev2dev - squirrelmail-users mailing list Posting guidelines: http://squirrelmail.org/postingguidelines List address: squirrelmail-users@lists.sourceforge.net List archives: http://news.gmane.org/gmane.mail.squirrelmail.user List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
