1 |
Thought I should send an epilogue on this one... turned out that my |
2 |
brother had set up his (and several family members') laptops to use the |
3 |
postmaster account to send mail! He goes from coffee shop to coffee shop |
4 |
every day, so -- along with the other people who were sending using |
5 |
postmaster -- that explains the varying IP addresses. |
6 |
|
7 |
Not sure why he used postmaster, but at least it wasn't something nefarious. |
8 |
|
9 |
b |
10 |
|
11 |
|
12 |
|
13 |
|
14 |
Richard Yumul wrote: |
15 |
|
16 |
> Based on your log entries, it looks like somebody discovered your |
17 |
> 'postmaster@×××××.com' password and is using it to relay messages. |
18 |
> |
19 |
> Did you check your qmail-send log around the same time? It would have |
20 |
> more details, showing if it's relaying emails. |
21 |
> |
22 |
> You also might try changing your postmaster's password to something |
23 |
> really cryptic, & see if those log entries still appear. |
24 |
> |
25 |
> HTH, |
26 |
> Rich Yumul |
27 |
> |
28 |
> |
29 |
> Ben Munat wrote: |
30 |
> |
31 |
>> I posted the following on the weekend and it seems to have been |
32 |
>> overlooked. If no one really has any ideas, I'm sorry for the repost, |
33 |
>> but, I would think that someone here has used vpopmail... I'm really |
34 |
>> hoping that this is something that vpopmail puts in the logs normally! |
35 |
>> |
36 |
>> Here's my previous post: |
37 |
>> |
38 |
>> Finally got around to installing a log monitoring tool (logwatch) this |
39 |
>> morning. I'm not sure why it doesn't give me any output for any services |
40 |
>> other than syslogd (maybe cuz all the other services are dumping into |
41 |
>> /var/log/messages?), but while looking through /var/log/messages for |
42 |
>> stuff that logwatch might find, I saw something that made my heart skip |
43 |
>> a beat. |
44 |
>> |
45 |
>> There are a number of vpopmail entries like this: |
46 |
>> |
47 |
>> Nov 6 10:21:51 munat vpopmail[29101]: vchkpw-smtp: password fail |
48 |
>> postmaster@×××××.com:80.104.163.225 |
49 |
>> Nov 6 10:21:57 munat vpopmail[29103]: vchkpw-smtp: (PLAIN) login |
50 |
>> success postmaster@×××××.com:80.104.163.225 |
51 |
>> |
52 |
>> Always in pairs like that... mostly with different addresses, and |
53 |
>> addresses that I don't recognize. My brother and I are the only people |
54 |
>> who should be able to log into the postmaster account, and we rarely do |
55 |
>> so, so... |
56 |
>> |
57 |
>> The question is, has my vpopmail been hacked or is this somehow a |
58 |
>> typical vpopmail occurrence? Going back through messages, there are |
59 |
>> entries like this every day. So maybe, for some strange reason vpopmail |
60 |
>> prints this entry in the logs periodically? |
61 |
>> |
62 |
>> Ben |
63 |
>> |
64 |
>> |
65 |
>> |
66 |
>> |
67 |
> |
68 |
> -- |
69 |
> ------------------------------------------------------------------------ |
70 |
> Richard M Yumul |
71 |
> rmy@×××××××××.com <mailto:rmy@×××××××××.com> |
72 |
> SDTechnix |
73 |
> http://www.sdtechnix.com |
74 |
> ------------------------------------------------------------------------ |