thanks for repaly, this is log foe webmail: 176.61.140.133 - - [08/May/2012:08:18:41 +0200] "GET /src/compose.php?mail_sent=yes HTTP/1.1" 200 556825 "https://webmail.esempio.it/src/compose.php"; "Opera/9.80 (Windows NT 6.1; U; en) Presto/2.10.229 Version/11.61" 176.61.140.133 - - [08/May/2012:08:18:43 +0200] "POST /src/compose.php HTTP/1.1" 302 5 "https://webmail.esempio.it/src/compose.php"; "Opera/9.80 (Windows NT 6.1; U; en) Presto/2.10.229 Version/11.61" 176.61.140.133 - - [08/May/2012:08:18:45 +0200] "POST /src/compose.php HTTP/1.1" 302 5 "https://webmail.esempio.it/src/compose.php"; "Opera/9.80 (Windows NT 6.1; U; en) Presto/2.10.229 Version/11.61" 176.61.140.133 - - [08/May/2012:08:18:47 +0200] "POST /src/compose.php HTTP/1.1" 302 5 "https://webmail.esempio.it/src/compose.php"; "Opera/9.80 (Windows NT 6.1; U; en) Presto/2.10.229 Version/11.61" 176.61.140.133 - - [08/May/2012:08:18:50 +0200] "POST /src/compose.php HTTP/1.1" 302 5 "https://webmail.esempio.it/src/compose.php"; "Opera/9.80 (Windows NT 6.1; U; en) Presto/2.10.229 Version/11.61"
how can I find the account used to send spam? thanks 2012/5/10 Wietse Venema <wie...@porcupine.org>: > Giuseppe Perna: >> this is log for /var/log/mailllog: >> May 8 08:18:41 neruda postfix/smtpd[3062]: BE80AB81E65: >> client=localhost[127.0.0.1] >> May 8 08:18:43 neruda postfix/cleanup[3208]: BE80AB81E65: >> message-id=<62105.176.61.140.133.1336457923.squirrel@176.61.140.133> > ... >> perhaps using the webmail with this ip 176.61.140.133 >> BE80AB81E65: >> message-id=<62105.176.61.140.133.1336457923.squirrel@176.61.140.133> > > Look in your webmail logs for activity at that time. > > Wietse --
