View Single Post
Old 19th January 2008, 19:27
zetnsh zetnsh is offline
Senior Member
Join Date: Aug 2007
Posts: 111
Thanks: 8
Thanked 5 Times in 5 Posts

Just my brief thoughts on this:

Firstly, you can find older log files in the same directory as the maillog, but with different suffixes - on my system the relevant files are in /var/log:

[root@mail ~]# ls -al /var/log/mail*
-rw------- 1 root root 835677 Jan 19 17:18 /var/log/maillog
-rw------- 1 root root 182263 Jan 13 04:06 /var/log/maillog.1
-rw------- 1 root root 184045 Jan  6 04:06 /var/log/maillog.2
-rw------- 1 root root 155908 Dec 30 04:06 /var/log/maillog.3
-rw------- 1 root root  98734 Dec 23 04:06 /var/log/maillog.4
You will see from the dates that the log rotates every few days when it gets beyond a certain size, and the old one gets archived (as in /var/log/maillog.x) the bigger 'x' is, the older the file. In my system, it only keeps 4 copies.

Also with reference to your worries about spam, I would say that you are very likely to see ISPConfig usernames in the log files, simply because the incoming e-mail addresses at some point get rewritten to that. Just because you're seeing those usernames doesn't necessarily mean anything's wrong - you would see those even if you received a normal mail.

What generally happens in these cases is that a third party sends out SPAM mail using an address on one of your domains as the sending address. This kind of sender forgery is unfortunately very common, and the mere fact that the domain is even registered is often enough for spammers to have a go. Of course the vast majority of this spam is send to non-existent addresses, or gets bounced by a spam filter, so of course your mailserver, as the one genuinely responsible for handling mail for the domain, gets hit with the bounces. This is sometimes called "backscatter", and simply handling the volume can present problems for any system administrator.

I think the important things are to check that you really are not an open relay (ie. anyone can send using your SMTP server) - Hans provided a good link to a site which tests that, and also make sure you haven't got any misbehaving CGI/PHP programs running on your server. Common examples of these would be feedback forms on websites - they usually provide a mechanism for sending e-mail to an address configured in the form's hidden fields, which can often be used malitiously for spamming. Older versions of had this problem, but it's been fixed in newer versions. Any custom written scripts might have this problem of course! The golden rule really should be never send e-mail to an address given in a web form...

Hope all that is some sort of help!

Reply With Quote