Verbose smtp logging to determine compromised account

[sonomait95448]

We are running Zimbra 6.05 NE and need to turn on verbose SMTP logging to determine a compromised user account that is being used for spamming. Unless, someone has a better method of determining this.

Any help is much appreciated.

[uxbod]

Welcome to the forums

This code snippet should help to find which user is sending lots of emails

Code:

cat /var/log/zimbra.log | sed -n "s/.*from=<\(.*\)@yourdomain.com>.*/\1/p" | uniq -c

[sonomait95448]

Thanks I appreciate it.

In the case of a compromised account the from address can be spoofed once authenticated. Isn't this the case?

[uxbod]

Depends on whether they are changing the headers or not. Give this a go as it should show better information

Code:

cat /opt/zimbra/log/mailbox.log | sed -n 's/.*SendMsgRequest.*name=\(.*\)@yourdomain.com;mid=.*;ip=\(.*\);ua=.*Adding Message.*/\1,\2/p'