Warning: X emails have been sent yesterday by USER

[jlounds]

Hello,

For the last 3 days, I have received a warning message that a certain user has sent over 1,200 e-mails.

I am assuming someone's e-mail password has been compromised, but am not sure how to narrow this down further.

1. The warning message says that the offending user is the main account username, which I assume means any of the e-mail accounts associated with that account could be the true offender

2. Where in the exim log can I find out what username they used for SMTP authentication? When I look at the number of e-mails actually from that account's domain name, there were less than 100.

Thanks in advance!

~ Jeremy

 

[mr.applesauce]

cat /var/log/exim/mainlog | grep -i username

 

[jlounds]

Thanks, that is where I have been looking... I was hoping there was somewhere else I could look, too.

So far, it shows only 16 e-mails from that user -- hardly on pace to break 1,200 again today. Similar story yesterday when I looked mid-day, only a handful of log entries matching that user.

Is there a way to tell exim to log the actual SMTP auth username?

Thanks again.

 

[zEitEr]

You need analyze rotated logs of exim for previous days.

eximstats is a good tool to help you, run like this:

eximstats /var/log/exim/mainlog | less

 

[stilo]

I have the same problem,

In the exim stats I see

Top 50 sending hosts by volume
------------------------------
  Messages      Bytes    Average   Sending host
      1413     2064KB       1495   local

So my server is sending out that emails, how can I find what kind of emails my server is sending an to who? I want to know if it are legitimate emails or not.