webmail abuse tracking

[EMerkel]

One of our Linux Plesk 11.0 servers is being used to send out spam via horde/webmail. Unfortunately, there are no identifiers like username etc in the email headers to identify what is being compromised to send out this emails. All I have been able to do is block the IP listed in the header but of course they change IP and come right back.

I've also looked in /var/log/psa-horde/psa-horde.log but I don't see anything that would allow to know what username is being used to send out the spams.

Does any else have any other hints on where to look to find the offender?

Thanks,
Eric

 

[CoreyT]

Take one of the IPs you have blocked and search the maillog file.
Search /usr/local/psa/var/log/maillog for the IP and read a few lines down.

You are looking for something like this:

Nov 5 05:42:52 server1 imapd: Connection, ip=[::ffff:127.0.0.1]
Nov 5 05:42:52 server1 imapd: LOGIN: DEBUG: ip=[::ffff:127.0.0.1], command=AUTHENTICATE
Nov 5 05:42:52 server1 imapd: auth_psa: starting client module
Nov 5 05:42:52 server1 imapd: cram: decoded challenge/response, username 'user1@mydomain.com'
Nov 5 05:42:52 server1 imapd: IMAP connect from @ [::ffff:127.0.0.1]digascii: 8484c8484c8484c8484c, response: 8484c8484c8484c8484c
Nov 5 05:42:52 server1 imapd: cram validation succeeded
Nov 5 05:42:52 server1 imapd: auth_psa: ACCEPT, username user1@mydomain.com
Nov 5 05:42:52 server1 imapd: LOGIN, user=user1@mydomain.com, ip=[::ffff:127.0.0.1], protocol=IMAP

 

[EMerkel]

Take one of the IPs you have blocked and search the maillog file.
Search /usr/local/psa/var/log/maillog for the IP and read a few lines down.

You are looking for something like this:

Nov 5 05:42:52 server1 imapd: Connection, ip=[::ffff:127.0.0.1]
Nov 5 05:42:52 server1 imapd: LOGIN: DEBUG: ip=[::ffff:127.0.0.1], command=AUTHENTICATE
Nov 5 05:42:52 server1 imapd: auth_psa: starting client module
Nov 5 05:42:52 server1 imapd: cram: decoded challenge/response, username 'user1@mydomain.com'
Nov 5 05:42:52 server1 imapd: IMAP connect from @ [::ffff:127.0.0.1]digascii: 8484c8484c8484c8484c, response: 8484c8484c8484c8484c
Nov 5 05:42:52 server1 imapd: cram validation succeeded
Nov 5 05:42:52 server1 imapd: auth_psa: ACCEPT, username user1@mydomain.com
Nov 5 05:42:52 server1 imapd: LOGIN, user=user1@mydomain.com, ip=[::ffff:127.0.0.1], protocol=IMAP

All of the IMAP connections will always show as being from localhost 127.0.0.1 not the actual IP address that is posting messages to webmail. Is there any other logs that would successfully tie the webmail login ID to the IP address?

Is there a way to setup Horde to include the IP address of the sender in the email headers? Seems like that would make tracking down these issues easier.

Eric