Need help viewing logs and or files

Discussions on webmail and the Professional version.
Post Reply
priorityel
Posts: 2
Joined: Tue May 20, 2008 4:25 pm

Need help viewing logs and or files

Post by priorityel » Tue May 20, 2008 4:28 pm

Is there a way we can see the DNS Blacklisting? (the files)

DSBL - List
DSBL - Multihop
DSBL - Uncomfirmed
Spamcop
Spamhaus
SpamhausSBL-XBL

Also, is there a way to trace back to someone who hacked into our relay?
Is there a way to see how they did this as well?

Thank you so much in advance.

dreniarb
Posts: 316
Joined: Mon Jan 19, 2004 5:00 pm
Location: Marion, IN

Post by dreniarb » Thu May 22, 2008 11:46 am

Most hacking is done by trying to guess someones password. I had a customer who was using "password" as their password. People will hammer your server and just try guessing a username and password.

For example:

Code: Select all

05/21/08 15:46:25	SMTP-IN	C99860441B43481DB0E9C284727F0B4E.MAI	864	58.63.157.51	AUTH	MTIzNDU2	504 Invalid Username or Password	34	10	company	
05/21/08 15:46:27	SMTP-IN	C99860441B43481DB0E9C284727F0B4E.MAI	864	58.63.157.51	AUTH	d2VibWFzdGVy	504 Invalid Username or Password	34	14	info	
05/21/08 15:46:27	SMTP-IN	C99860441B43481DB0E9C284727F0B4E.MAI	864	58.63.157.51	AUTH	d2VibWFzdGVy	504 Invalid Username or Password	34	14	info	
This went on for about 15 minutes, all from the same ip address (why the ip address wasn't blocked, I have no idea, it should have been). They tried other usernames like root, admin, demo, etc etc.

When they get one right, they start using you to send spam. Usually you'll only catch it if you notice an increase in outgoing mail, or like my customer, your isp is monitoring port 25 and scanning the emails and see's they're 99% spam and turns off your access to port 25.

It's a good idea to look through your auth.tab file and make sure no one is using easy to guess passwords.

So to answer your question about tracing the hack, look through your smtp-activity file for the username that was used to hack your server, and go back until the problem started.

Post Reply