Hi, We had a user account hacked (weak password) and our SMTP server was used for sending spam. We discovered it after our mail server IP began to show up in RBLs. We improved the passwords, however the question is how best to watch the server in case a similar thing happens again.
We created a small regex based log analyzer and received the following result (see below) - The question is: is there somewhere a description what each entry means? If not: which number shows the number of e-mails sent by the mail server? Or should we dig deeper into some of the entries or combine some or both? Our current idea is that if we watch this number for unusual increase, we will be able to discover abuse this way before we discover it by the means of RBL. Geert RESULT: ------- LINES TOTAL: 4328247 LINES_LOGIN: 20353 LINES_LOGOUT: 0 LINES_AMAVIS: 0 LINES_CYRUS_CTL_CYRUSDB: 749 LINES_CYRUS_CYR_EXPIRE: 11397 LINES_CYRUS_IMAP: 6874 LINES_CYRUS_LMTPUNIX: 8711 LINES_CYRUS_MASTER: 2182 LINES_CYRUS_TLS_PRUNE: 4 LINES_DOVECOT: 960 LINES_IMAPPROXYD: 0 LINES_POSTFIX_ANVIL: 999 LINES_POSTFIX_BOUNCE: 193 LINES_POSTFIX_CLEANUP: 1446 LINES_POSTFIX_ERROR: 974 LINES_POSTFIX_LMTP: 902 LINES_POSTFIX_LOCAL: 221 LINES_POSTFIX_PICKUP: 443 LINES_POSTFIX_QMGR: 3096601 LINES_POSTFIX_VERIFY: 0 LINES_POSTFIX_POSTMAP: 0 LINES_POSTFIX_TLSMGR: 0 LINES_POSTFIX_MASTER: 0 LINES_POSTFIX_SCACHE: 261 LINES_POSTFIX_SMTP: 20346 LINES_POSTFIX_SMTPD: 1154379 LINES_SPAMD: 0 LINES_POSTFIX: 0 LINES_POSTFIX_POSTFIX_SCRIPT: 0 LINES_POSTFIX_TRIVIAL_REWRITE: 252 LINES NOT PROCESSED: 0
