Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Mail user's account hacked?

Our mail server's IP has gotten blacklisted due to spam coming from our server.


I have pored over the logs and cannot seem to figure out which user account it is being sent through, the information does not seem to be in the mailaccess or mail log.


Shouldn't there be a place where I can see a log of the account name, time, date, maybe a message ID #, who it was sent from/to? I can't seem to find this in the logs. Perhaps I do not have a high enough level of logging enabled?


Suggestions as to how to begin to track this down?

Posted on Apr 20, 2013 3:46 PM

Reply
1 reply

May 30, 2013 11:05 PM in response to starion

Every message that goes through your server should be logged, and the default log data should give an indication as to the sender and recipient.


The problem may be one of filtering - identifying the spam (signal) from all the legitimate mail traffic (noise). For that you really need some of the spam messages (or, at least, the headers) which will give you several critical pieces of information - it will give you the message ID which can be used to identify the message in your logs, it will give you the client IP address (which may identify the machine that generated the message) and it may lead to the user ID that sent the message (assuming you're enforcing authentication on your server and are not an open relay).


Without the message ID it'll be hard to identify valid vs. spam messages in the logs.

Mail user's account hacked?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.