Community Discussions and Support
Spam attack: What login was used?

Good point, google for "base64 decode" to find a tool for it (there are plenty of them on the web).

/Rolf
 

<p>Good point, google for "base64 decode" to find a tool for it (there are plenty of them on the web). </p><p>/Rolf  </p>

My mailserver's normally locked down pretty tight, but today I chanced across a pretty serious spam onslaught.  One of my AUTH passwords was guessed/hacked and my poor server was under a ceaseless wave of the filthy stuff: after disabling all passwords, 1,013 connections were refused in a two-minute span, each with some 25 email targets.  I nuked 6,063 items from the QUEUE folder when it didn't seem like there was any end to the processing and sending of spam.

 

Which brings me to my question:

 

The logs show only AUTH LOGIN, but it doesn't say WHICH user logged in.  Is there any way to tell?  

 

It'd sure be handy if the login name was included in the logs...

<P>My mailserver's normally locked down pretty tight, but today I chanced across a pretty serious spam onslaught.  One of my AUTH passwords was guessed/hacked and my poor server was under a ceaseless wave of the filthy stuff: after disabling all passwords, 1,013 connections were refused in a two-minute span, each with some 25 email targets.  I nuked 6,063 items from the QUEUE folder when it didn't seem like there was any end to the processing and sending of spam.</P><P> </P><P>Which brings me to my question:</P><P> </P><P>The logs show only AUTH LOGIN, but it doesn't say WHICH user logged in.  Is there any way to tell?  </P><P> </P><P>It'd sure be handy if the login name was included in the logs...</P>

In a normal situation the user should be obvious from the MAIL FROM line, but in this case that is of course not the case. You would probably need to switch on session logging briefly to catch this.

/Rolf 

<p>In a normal situation the user should be obvious from the MAIL FROM line, but in this case that is of course not the case. You would probably need to switch on session logging briefly to catch this.</p><p>/Rolf </p>

[quote user="Rolf Lindby"]

In a normal situation the user should be obvious from the MAIL FROM line, but in this case that is of course not the case. You would probably need to switch on session logging briefly to catch this.

/Rolf 

[/quote]

And even there you would need something to Base64 decode the AUTH strings to get the username.

[quote user="Rolf Lindby"]<p>In a normal situation the user should be obvious from the MAIL FROM line, but in this case that is of course not the case. You would probably need to switch on session logging briefly to catch this.</p><p>/Rolf </p><p>[/quote]</p><p>And even there you would need something to Base64 decode the AUTH strings to get the username. </p>
live preview
enter atleast 10 characters
WARNING: You mentioned %MENTIONS%, but they cannot see this message and will not be notified
Saving...
Saved
With selected deselect posts show selected posts
All posts under this topic will be deleted ?
Pending draft ... Click to resume editing
Discard draft