Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Klaus Engelmann (klausengelmanngmail.com)
Date: Fri Apr 09 2010 - 11:43:04 CDT
Thanks Noel for all your help. Glad to know you.
CCNA CCDA - CSCO10971632
LPIC-1 - LPI000138061
On Wed, Apr 7, 2010 at 10:04 AM, Noel Jones <njonesmegan.vbhcs.org> wrote:
> On 4/6/2010 6:09 PM, Klaus Engelmann wrote:
>> Hello Everybody.
>> I am running a Postfix postfix-2.3.3-2.1.el5_2 on a CentOS 5.4 box at
>> a Federal University in Brazil.
>> Our users (students and professors) suffered several social
>> engineering attacks and spammers got some valid users and passwords.
>> I know that the spammers are using a fake email (infofreelotto.com)
>> to send SPAM through our MX. But they are using some unidentified
>> I need some help or thoughts about:
>> - which parameter at master.cf or main.cf can I turn on in order to
>> see the IP used by a specif user (authentication against SASL DOVECOT)
>> to see the IP address used by the sender infofreelotto.com.
> The logs already show all this information.
> When someone authenticates with sasl, there will be a line including
> client=name[IP], sasl_method=FOO, and sasl_username=tito. Searching the log
> for "sasl_username=tito" will show each time user tito authenticated, and
> from which IP.
> To find the IP a sender address comes from, search the log for the sender
> you're interested in, then search again for the QUEUEID associated with that
> Truncated Example:
> # grep 'njonesexample.com' /var/log/maillog
> postfix/qmgr: 39B95797897: from=<njonesexample.com>, size=2619,
> nrcpt=1 (queue active)
> # grep 39B95797897 /var/log/maillog
> postfix/smtpd: 39B95797897:
> (and other lines associated with this QUEUEID)
> You can also record this information in the Received: header of the mail.
> -- Noel Jones