2

We have a zimbra email server and one of the email accounts was compromised. The problem we have now is that a lot of spams are sent from that server and we cannot identify which account is compromised.

In the mailq we can only see the from email, but this is a fake email address.

Is there a way to identify the real auth user who is sending those emails?

Milos Cuculovic
  • 401
  • 2
  • 8
  • 21
  • iptraf can help you guess which ip adresses does a lot of traffic with the compromised server. tcpdump may also be a good tool. – bgtvfr Apr 25 '18 at 08:19
  • Thank you @bgtvfr, but this is not a solution. We have 3000 accounts, some of them are really sending a lot of emails, not sure the traffic analyze will make sense. – Milos Cuculovic Apr 25 '18 at 08:40

2 Answers2

2

You can either grep logs for senders like

grep sasl_username /var/log/maillog

or use this script to show aggregate statistics 

#!/usr/bin/python2
from __future__ import print_function

import re
re_sasl = re.compile(r'sasl_username=(.*)\s*')

senders = {}

for line in open('/var/log/maillog'):
    m = re_sasl.search(line.strip())
    if m:
        username = m.group(1)
        if username in senders:
            senders[username] += 1
        else:
            senders[username] = 1

print("Top senders:")
for username, count in sorted(senders.iteritems(), key=lambda x: x[1], reverse=True):
    print("\t{0:5d} {1}".format(count, username))
yaplik
  • 401
  • 2
  • 3
0

Please use this command to get compromise account details

cat zimbra.log | sed -n 's/.*sasl_username=//p' | sort | uniq -c | sort -n 
alexander.polomodov
  • 1,060
  • 3
  • 10
  • 14
Vijay Pavan Kumar Kudupudi
  • 1
  • 2