So, recently I discovered that a handful of our user accounts had their passwords compromised. Apparently this was from an outside source (maybe one of the many sites that have posted recently of hackers getting away with their databases). We found this via the mail server. One of our users mentioned that they were getting a number of returned e-mails that they didn’t send, more than usual. I checked the trace information and found that it did indeed come from our server. A scan of the server logs showed that indeed him and 7 other users had their accounts compromised. Thankfully I couldn’t find evidence of any other server being logged into and the mail server does not allow shell access to regular users, so it was just the SMTP that was being used.
Once I found that we had a people from out of country logging in I devised a script that I can run on our postfix maillog files to check for future incursions. The script is designed for use with postfix doing SASL password checking. I am sure if you are doing PAM authentication or something it could be modified to pick out the usernames still. Here is out it works. It looks for any lines in the maillog that indicate an authorized user sending e-mail. It will then extract the IP address and the username. The IP address is used for a geolocation lookup, thanks to ipinfo.io. We also filter out any connections from 10.* and 192.168.* as those are common non-Internet addresses.
If the location is outside the United States (our users do not go out of country too often) then it prints out the date, username, IP address and country. With this information I can do some follow up checks, but realistically when I see the same person logging in from 6 different countries in the span of 1 hour, it is a pretty good guess their account was compromised. Below you will find the script I use. So the moral of the story is to check your mail logs every few weeks to make sure you are not sending spam for people. If you use any monitoring software like nagios or zenoss, or just about any other monitoring software, you can probably configure this script to run automatically and check the last 10-15 minutes of the log file. In that case I also recommend automating the DNSBL check to see if you are listed.
#!/bin/sh
cat | grep sasl_username | grep -v "client=.*\[10\." | grep -v "client=.*\[192\.168\." | (while read line; do
ip=`echo $line | cut -f3 -d[ | cut -f1 -d]`
username=`echo $line | sed 's/.*sasl_username=//'`
date=`echo $line | cut -c1-15`
country=`curl -s "http://ipinfo.io/$ip/country"`
if [ "$country" = "US" ]; then continue; fi
echo "$date $username from IP $ip came from $country"
done)