So my host says I am sending spam (using default config of mailinabox never had any issues for 5+ years) and their third party spam scanner only has these logs showing I am sending spam. I am trying to grep in mail.log and I cannot find any of these message-ID. Is this where I should be looking for them? How can I hunt this down?
If I grep the IP some show no mail in mail.log and some show some mail but not with the same message-ID as bellow. Actually the messageID format in mail.log doesn’t seem to be the same as this.
I was able to find some example of a messageID that does exist and somehow china has an account on my miab “test@miaburl.com” which they have been authenticating into and sending spam with automatically. What the heck. How could they get this account and login credentials. I changed the password to try to stop this I just hope they don’t have access.
I need to be able to dump all mail that user is trying to send and figure out how they got in, please help!
I just deleted everything in the postfix mail queue. I need some type of incursion prevention on this so I know my system is sending spam.
You’ll want to do more than that. You’ll want to delete that user.
Grep with the following command:
grep test@maiburl.com /var/log/mail.log |grep submission and you should get something useful. Well, not very useful. Logging on MiaB looks like it leaves a lot to be desired. But you’ll at least see the emails that user sent.
The only way you can see what is actually being sent is to intercept the message in the mail queue. You said that you are providing services for others, so doing that is a major privacy violation that opens you up to legal liability. Or to view the sent folder of the email user, again opening you up to legal liability.
I didn’t realize that the logging in MiaB was so bad until after I replied and started poking around the logs of one of my own servers.
Since you never created this email user, you need to approach this as though your MiaB installation is compromised. I’d first audit your Ubuntu users.
Is there a log of when miab users are created? There is a good chance I did make this. I don’t really provide mail to random people it’s mostly just a couple friends/family.
My system is not compromised the only logins are from my user with my ip.
