1 Reply Latest reply: May 30, 2013 11:05 PM by Camelot
starion Level 1 Level 1 (85 points)

Our mail server's IP has gotten blacklisted due to spam coming from our server.

 

I have pored over the logs and cannot seem to figure out which user account it is being sent through, the information does not seem to be in the mailaccess or mail log.

 

Shouldn't there be a place where I can see a log of the account name, time, date, maybe a message ID #, who it was sent from/to?  I can't seem to find this in the logs.  Perhaps I do not have a high enough level of logging enabled?

 

Suggestions as to how to begin to track this down?

  • Camelot Level 8 Level 8 (46,295 points)

    Every message that goes through your server should be logged, and the default log data should give an indication as to the sender and recipient.

     

    The problem may be one of filtering - identifying the spam (signal) from all the legitimate mail traffic (noise). For that you really need some of the spam messages (or, at least, the headers) which will give you several critical pieces of information - it will give you the message ID which can be used to identify the message in your logs, it will give you the client IP address (which may identify the machine that generated the message) and it may lead to the user ID that sent the message (assuming you're enforcing authentication on your server and are not an open relay).

     

    Without the message ID it'll be hard to identify valid vs. spam messages in the logs.