On 4/4/2014 8:28 AM, Lisa Muir wrote: > > Guys, > > I thought I had this one covered, all SMTP must be authenticated on > our server. > > It is very evident from examining increased server load that we are > being used as a SPAM relay and have not yet hit a blacklist. > > Looks like a website got hacked and an email account details must have > been in there. > > For the life of me, when I search mail.log etc I can't find the > username of the user who authenticated an SMTP session. > > I'd like to quickly enable this in my logs so that I can shut down the > compromised account, if anyone has a quick heads up I'd appreciate it.
On my server, I see a line like this in the logs: courierd: newmsg,id=000000000022805E.533E911D.000019DB, auth=x...@xxx.xxx If I enabled a setting to get this, I can't find it now. -- Bowie ------------------------------------------------------------------------------ _______________________________________________ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users