Spam through Webmail

[rvn2k]

Hello

I just found out that one of my DirectAdmin servers is on some RBL blacklists, when I checked for evidence, i see that the mails have been sent using Roundcube webmail, so logs show that the sender is the webapps account..

Any idea how can I check the real username behind this??

Thanks

 

[zEitEr]

Hello,

Find out IP of the user, who was sending SPAM, then scan directadmin's logs for that IP or history files with logins. Also you can check with exim/dovecot logs.

 

[rvn2k]

Can't since exim logs are only showing that it comes from "webapps" from "localhost".

I guess it's roundcube's fault for not using smtp_auth by default, if it was used logs would show the exact username that's being used to spam..

 

[zEitEr]

I did not get, what you mean. Dovecot has nothing with SMTP and smtp_auth. Anyway, if you scan logs, with 50% certainty you'll find the sender.

If it's near to impossible for you to find a sender, I can do it for you, as well as somebody else on these forums. Of course for a fee.

 

[rvn2k]

I just fixed it.. thanks anyway

My problem was that the only info about sender I had was that it was being sent by "webapps", now I modified the config file from Roundcube under config/main.inc.php to force users to authenticate before sending mail.

 

[SeLLeRoNe]

is not the default configuration?

What did you changed?

Regards