Topic: Find User sending email outbound

[tdbsoft]

Is there anyway to find out who sent and outbound email?

While we can locate the instances of where the spam email was sent, we can't tell what user account was used to authenticate to the SMTP server to send the message.

/var/log/qpsmtpd      --> non-secure smtp port 25 log
/var/log/sqpsmtpd    --> secure smtp port 465 log

Both of these log files contain spam sent from outside the internet into our server and then outbound to the internet to random addresses as spam server do...

Does anyone know how to track and find what user account is sending the spam via SMTP (unsecured or secure) so we can identify if it was a user account that was comprised or was it an issue with the email protocol

I am betting more on user comprised but i would like to confirm and be able to track such things easier in the future.

thanks in advance

[Stefano]

do you have any exposed to WAN website/webapp running on your server?

if so, please disconnect your server or shut down your sites..

if you search the forum and/or the wiki, you'll find an interesting how to about how to investigate

[mmccarn]

Finding the authenticated User
With qpsmtpd LogLevel set to 6 (the default; check using config getprop qpsmtpd LogLevel), the qpsmtpd log files will include an "auth" line indicating successfull authentication.

The 2nd column (after date stamp) in the qpsmtpd logs is the connection/process ID -- all log entries related to a given email have the same connection/process ID and occur close to each other in time (ID numbers can be repeated, but not very often)

So - find the offending email in the qpsmtpd logs, note the connection ID, then look for the associated 'auth' entry.

A minor correction regarding qpsmtpd vs sqpsmtpd
/var/log/qpsmtpd/current is where traffic on port 25 is logged.  This could have be non-secure or secure depending on your server's TLS settings.

Compromised Webapps
As implied by Stafano, webapps are a common source of vulnerabilities, and their behavior may not appear in the qpsmtpd log files depending on the configuration of the app -- but you mentioned that you are finding the offending messages in the qpsmtpd logfiles. For example, a test message I sent myself using Sogo left no trace in the qpsmtpd logs.

Here's a wiki page on reading email-related logfiles:
https://wiki.contribs.org/Mail_log_file_analysis#qmail:_Outgoing_SMTP_traffic

This google search finds a few other folks dealing with troublesome email relay problems:
https://www.google.com/search?q=site%3Acontribs.org+hacked+spam

[tdbsoft]

Finding the authenticated User
With qpsmtpd LogLevel set to 6 (the default; check using config getprop qpsmtpd LogLevel), the qpsmtpd log files will include an "auth" line indicating successfull authentication.

The 2nd column (after date stamp) in the qpsmtpd logs is the connection/process ID -- all log entries related to a given email have the same connection/process ID and occur close to each other in time (ID numbers can be repeated, but not very often)

So - find the offending email in the qpsmtpd logs, note the connection ID, then look for the associated 'auth' entry.

A minor correction regarding qpsmtpd vs sqpsmtpd
/var/log/qpsmtpd/current is where traffic on port 25 is logged.  This could have be non-secure or secure depending on your server's TLS settings.

Compromised Webapps
As implied by Stafano, webapps are a common source of vulnerabilities, and their behavior may not appear in the qpsmtpd log files depending on the configuration of the app -- but you mentioned that you are finding the offending messages in the qpsmtpd logfiles. For example, a test message I sent myself using Sogo left no trace in the qpsmtpd logs.

Here's a wiki page on reading email-related logfiles:
https://wiki.contribs.org/Mail_log_file_analysis#qmail:_Outgoing_SMTP_traffic

This google search finds a few other folks dealing with troublesome email relay problems:
https://www.google.com/search?q=site%3Acontribs.org+hacked+spam

Hi mmccarn,

Thank you that is exactly what we need to find the issue - unfortunately we will not be able to track this time as the log level was set to 8.  Not sure why as other servers are level 6.  Anyway we have now set to level 6 in case it happens again.

Many thanks TDB

[mmccarn]

LogLevel 8 is more detailed than LogLevel 6 -- you should still be OK unless the relevant log entries have already disappeared from the logs (the default LogLevel was changed from 8 to 6 when the "logterse" plugin was added with the release of SME 7.2).

If your logs don't last long enough, you can set "KeepLogFiles" for qpsmtpd and/or sqpsmtpd to keep more history.

Change "30" to a number that will make your logs last as long as you need without using too much disk space:

Code: [Select]

config setprop qpsmtpd KeepLogFiles 30
config setprop sqpsmtpd KeepLogFiles 30

To activate the new settings you need to reboot or send a SIGHUP signal to the qpsmtpd / sqpsmtpd logging processes.

You can send SIGHUP manually using:

Code: [Select]

ps auxwww |grep ^smelog.*multilog.*qpsmtpd
#
# note the proccess IDs of the two entries that should be listed
#
# then do this for each process (substitute the number in the 2nd column for "[PID]"):
kill -SIGHUP [PID]

Or automatically using:

Code: [Select]

for p in $(ps auxwww |grep ^smelog.*multilog.*qpsmtpd |awk '{print $2}'); do kill -SIGHUP $p; done

Verify that the new setting is active by looking at the "nXX" value in the process information (n30 in this example):

Code: [Select]

# ps auxwww |grep ^smelog.*multilog.*qpsmtpd
smelog   25267  0.0  0.0   4072   456 ?        S    09:03   0:00 /usr/local/bin/multilog t s5000000 n30 !/usr/local/bin/qplogsumm.pl /var/log/qpsmtpd
smelog   25268  0.0  0.0   4072   456 ?        S    09:03   0:00 /usr/local/bin/multilog t s5000000 n30 /var/log/sqpsmtpd
On my home server, KeepLogFiles 20 gives me 7 months of history; on a busy office server I needed KeepLogFiles 50 to have even a week of logging.

The KeepLogFiles parameter is optional; you can revert to the default (10 logfiles) by deleting the db entries and kicking the processes:

Code: [Select]

config delprop qpsmtpd KeepLogFiles
config delprop sqpsmtpd KeepLogFiles
for p in $(ps auxwww |grep ^smelog.*multilog.*qpsmtpd |awk '{print $2}'); do kill -SIGHUP $p; done


[janet]

tdbsoft

Is there anyway to find out who sent and outbound email?

Look in the Header of the received message eg Properties, Header or similar in your email client.