About the server log of the SMTP connection source

Lpic1challenger

New Member
Joined
Jul 8, 2020
Messages
3
Reaction score
0
Credits
35
A server managed by the company received a report.

■Overview
I received the following report from the reporter.

”An SMTP connection was made from our managed IP(IP managed by my company).
After clearing SASL authentication, a phishing email was sent.”

Therefore, we would like our company, which has the source IP, to take measures.


■Question
Which log should I look at on our server, which is the source of the connection for sending malicious emails?

We use Linux CentOS7 postfix.

I also looked at the following logs, but I couldn't find any logs that led to the connection information to the cracked server.
/var/log/maillog
/var/log/secure
/var/log/messages
 


/var/log/maillog contains all the smtp/smtpd traffic en mail transfer handled by postfix, there all the connections who delivered mail to your mail server are registered.
 
Last edited:


Top