• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

E-mail hack

L

LuisN

New Pleskian
Today, someone managed to gain my e-mail account credentials and sent a bunch of outgoing malicious e-mails. I can see the hackers connecting to the Postfix SMTP server and sending the messages.

What I can't figure out is how they got the list of recipients I commonly send e-mail to. I'm pretty sure they couldn't get that from Postfix. However, I'm guessing they could if they logged in via Horde or IMAP or POP.

Question: It appears I can see all the IMAP accesses in /var/log/maillog. Where can I find this info for Horde or POP?

BTW, I upgraded from Plesk 11.5.30 to 12.0.18 two days ago. I don't think there's a connection but the timing is definitely very interesting.
 
Hi Igor,

Unfortunately, all of the files in this folder date back to 2013. I just purposely tried the wrong password in Horde and it didn't update any of the files in this folder. Is there somewhere else I should look? Also, where are the HTTP access logs for this app?

Thanks!
 
Make sure that Horde log file is specified in /etc/psa-webmail/horde/horde/conf.php as:

$conf['log']['name'] = '/var/log/psa-horde/psa-horde.log';
$conf['log']['type'] = 'file';
$conf['log']['enabled'] = true;

Maybe you have other log file there.
Global Access and Error logs in /var/log/httpd/
 
Thanks again!

Regarding the Horde config file, yes, those are the exact settings I have so I'm not sure why it's not working.

With regards to the global access/error logs, thanks! I kept looking under /var/www so I didn't see those.

I did notice that /var/log/maillog will have entries like this when Horde users are accessing their e-mail:
2015-09-21T18:59:44.946722-07:00 hostname courier-imapd: LOGIN, user=user@domain.com, ip=[::ffff:127.0.0.1], port=[50349], protocol=IMAP

My logs go back 5 days and I couldn't find any evidence of any successful Horde logins. So, unless the hackers pulled the data more than 5 days ago, I have no idea how they got the list of recipients to send to. Any ideas?
 
You must log in or register to reply here.

Similar threads

I
Issue Mail delivery deferred (4.4.2 delivery temporarily suspended)
Replies
1
Views
231
iainh
I
andreios
Issue Creating a Send-only e-mail address leads to an error message: 'No such user ..'
Replies
3
Views
622
andreios
andreios
A
Question Changing DNS settings and e-mail plan
Replies
1
Views
597
Sebahat.hadzhi
Sebahat.hadzhi
A
Issue Mail queue very slow with 10 min delay
2
Replies
22
Views
2K
apis
A
B
Question Unable to Send Emails Using PHPMailer on Plesk Server
Replies
4
Views
1K
King555
K
Back
Top