Hi,
Every few minutes I get following content in my maillog file. Since I had spamming activities on my server few weeks ago I don't trust these log-entrys. Should I be worried? Can someone explain whtas happening here? PS I replaced the account (domain)name with "abcd"
Aug 3 20:20:51 ns1 pop3d-ssl: Connection, ip=[87.208.182.169]
Aug 3 20:20:51 ns1 pop3d-ssl: IMAP connect from @ [87.208.182.169]INFO: LOGIN, user=info@abcd.nl, ip=[87.208.182.169]
Aug 3 20:20:51 ns1 pop3d-ssl: 1375554051.357111 LOGOUT, user=info@abcd.nl, ip=[87.208.182.169], top=0, retr=0, time=0, rcvd=28, sent=55, maildir=/var/qmail/mailnames/abcd.nl/info/Maildir
Thanks in advance.
Mark
interpreting maillog in case of past spamproblems
interpreting maillog in case of past spamproblems
The log says you are getting an IMAP-login from user info@abcd.nl. If this is legit i.e. you are running an IMAP-server and know the user it is probably okay, else you should take action.
Re: interpreting maillog in case of past spamproblems
Thanks Tigalch,
This user does excist but this login-log-messages appear every 3 minutes prox. for different domains. This triggered me. at least I think this is curios but I'm not to much into Unix/logfiles so thats why I asked.
What actions do you think of in case of mallicious logins? Blocking IP's?
Thanks in advance.
Mark
This user does excist but this login-log-messages appear every 3 minutes prox. for different domains. This triggered me. at least I think this is curios but I'm not to much into Unix/logfiles so thats why I asked.
What actions do you think of in case of mallicious logins? Blocking IP's?
Thanks in advance.
Mark
Re: interpreting maillog in case of past spamproblems
Using secure/complex passwords would come to my mind first, so the accounts themselves are safe. Also using an up-to-date system to mitigate any bugs. iptables is also a good idea. Maybe you can run some stats on your maillog to see where the most unsuccessful logins origin from.
Re: interpreting maillog in case of past spamproblems
Great thanks Tigalch for taking time to explain.
Currently I'm using failtoban to block IP's after 5 times error-login.
Regarding the stats of unsuccefull logins: is there some command for it to show all unsuccessfull logins or do I have to "grep" my way through this by searching some logefiles (which?).
Thanks again.
Mark
Currently I'm using failtoban to block IP's after 5 times error-login.
Regarding the stats of unsuccefull logins: is there some command for it to show all unsuccessfull logins or do I have to "grep" my way through this by searching some logefiles (which?).
Thanks again.
Mark
Re: interpreting maillog in case of past spamproblems
phew, don't know about a specific command, so - unless someone else has a better idea - grep is your friend i guess. If you allready use failtoban that sounds good. The logfile in question is the same from where you got your first lines of this post:
[quote]
Aug 3 20:20:51 ns1 pop3d-ssl: Connection, ip=[87.208.182.169]
Aug 3 20:20:51 ns1 pop3d-ssl: IMAP connect from @ [87.208.182.169]INFO: LOGIN, user=info@abcd.nl, ip=[87.208.182.169]
Aug 3 20:20:51 ns1 pop3d-ssl: 1375554051.357111 LOGOUT, user=info@abcd.nl, ip=[87.208.182.169], top=0, retr=0, time=0, rcvd=28, sent=55, maildir=/var/qmail/mailnames/abcd.nl/info/Maildir[/quote]
[quote]
Aug 3 20:20:51 ns1 pop3d-ssl: Connection, ip=[87.208.182.169]
Aug 3 20:20:51 ns1 pop3d-ssl: IMAP connect from @ [87.208.182.169]INFO: LOGIN, user=info@abcd.nl, ip=[87.208.182.169]
Aug 3 20:20:51 ns1 pop3d-ssl: 1375554051.357111 LOGOUT, user=info@abcd.nl, ip=[87.208.182.169], top=0, retr=0, time=0, rcvd=28, sent=55, maildir=/var/qmail/mailnames/abcd.nl/info/Maildir[/quote]
Re: interpreting maillog in case of past spamproblems
Thanks Tigalch,
I'll investigate this further.
Cheers.
Mark
I'll investigate this further.
Cheers.
Mark