Hi Jeff, you are not going to see much in the GUI, you have to be in the command line, and use the mailq as root or sudo to see if a mass of spam is going out, as a rule it will be choking the mail queue. Then you examine the headers in /var/spool/mqueue to see who send the spam so you can figure out the compromised user.
The most common cause is the user giving out their password in response to a Phishing email, typicially pretending to be the server admin. Next would be a brute force attack on the smtp auth port. Then a brute force attacks on the POP/IMAP username. - Ernie. [ Charset UTF-8 unsupported, converting... ] > I had a vsite-user who's mail account creds were compromised and the > account was being used to relay spam. The user suspected the issue, I > confirmed it in maillog and rotated their creds to stop the flow. > > I was hoping to find a way in the GUI to identify potential issues like > this in the future by identifying "top senders" and spent some time looking > through the Usage Information > Email reports but was a bit confused by the > numbers in that report (they look too low). > > So I had a few questions which I'm hoping somebody can help with: > > 1 - Is the Usage Information > Email report the right place to find > top-senders? > > 2 - If it is, which specific sub-report is the one I should be looking at? > > 3 - Why would the values in that report seem too small for my server's > traffic (by an order of magnitude) for a defined reporting period? > > Thanks! > > Jeff > _______________________________________________ > Blueonyx mailing list > Blueonyx@mail.blueonyx.it > http://mail.blueonyx.it/mailman/listinfo/blueonyx -- "I Ping therefore I am." _______________________________________________ Blueonyx mailing list Blueonyx@mail.blueonyx.it http://mail.blueonyx.it/mailman/listinfo/blueonyx
