Alt-N Discussion Groups MDaemon Discussion Groups MDaemon Support Archive

Help with LOG

Javier Meilán …

Newbie
Posts: 44

Javier Meilán Deus - 05:04am, Nov 3 2021

We have more than 800 mailboxes in the company, and on 11/1/2021 we received an email that skipped all spam filters including the Security Gateway.

After reviewing all the logs, I verify that in some mailboxes, an IMAP login is made and something is added directly to the inbox.

The connecting IPs are all from the US.

See the log

I know it was added this way, because there is no trace of these emails in the rest of the logs, nothing in the routing log, or in the content filter log. And of course in the SMTP input log

What else can I look at?

These are all the IPs that have been connected in this way, they belong to netprotect.com and HIGHWINDS

See Capture IP

Can we know what added that IMAP connection to the mailbox, is there some kind of log?

Any Idea?

Attachments:	IP.PNG (25 KB)
	Log.PNG (96 KB)

Arron Caruth - Nov 3, 2021 6:57 am (#1 Total: 1)

Guest User

Posts: 1

There are no other logs in MDaemon that include any additional information about IMAP connections. Who can use IP 2 location tools on the internet to see where the IP is located, or WhoIs lookups to see who owns the IP. I'm not sure what other information you are looking for. There may be more clues in the email headers if you view the source of the mail they uploaded.

But the bottom line is that if somebody logged into an account on your server that is not authorized you need to change the passwords on the account immediately.

I would also recommend enabling the option for "Do not allow passwords found in third-party compromised passwords lists" and set it to check every 7 days. This can be found under Accounts / Account Settings / Other / Passwords.

Depending on your environment, you may also want to consider blocking connections/authentication from the U.S using Location Screening. This can be by going to Security / Security Manager / Screening / Location Screening.

--
Arron Caruth
Vice President of Product Development
o: 817-601-3222 e: Arron.Caruth@mdaemon.com

MDaemon Technologies
Simple Secure Email

Visit us on www.mdaemon.com | Facebook | LinkedIn | YouTube
Sent using the MDaemon Email Server

On Wed, 3 Nov 2021 05:04:19 -0500, "lists-md-support@mdaemon.com (Javier Meilán Deus)" <lists-md-support@mdaemon.com> wrote:
We have more than 800 mailboxes in the company, and on 11/1/2021 we received an email that skipped all spam filters including the Security Gateway.

After reviewing all the logs, I verify that in some mailboxes, an IMAP login is made and something is added directly to the inbox.

The connecting IPs are all from the US.

See the log:

Mon 2021-11-01 17:49:19.447: La primera vez se otorgará acceso IMAP autentificado a 216.131.82.35 para las axxxxxx@commcenter.es de la cuenta
Mon 2021-11-01 17:49:19.447: ----------
Mon 2021-11-01 17:49:18.334: Session 06114552; child 0004
Mon 2021-11-01 17:49:18.334: Accepting IMAP connection from 216.131.82.35:10262 to 10.4.xx.xx:993
Mon 2021-11-01 17:49:18.822: SSL negotiation successful (TLS 1.2, 256 bit key exchange, 256 bit AES encryption)
Mon 2021-11-01 17:49:18.822: --> * OK xxxx.commcenter.es IMAP4rev1 MDaemon 21.0.3 ready
Mon 2021-11-01 17:49:19.117: <-- S1 CAPABILITY Mon 2021-11-01 17:49:19.117: --> * CAPABILITY IMAP4rev1 NAMESPACE AUTH=CRAM-MD5 AUTH=LOGIN AUTH=PLAIN IDLE COMPRESS=DEFLATE ACL UNSELECT UIDPLUS QUOTA BINARY XLIST SASL-IR
Mon 2021-11-01 17:49:19.117: --> S1 OK CAPABILITY completed
Mon 2021-11-01 17:49:19.405: <-- S2 LOGIN "axxxxxxx@commcenter.es" ****** Mon 2021-11-01 17:49:19.443: Authenticated as axxxxxxxo@commcenter.es Mon 2021-11-01 17:49:19.450: --> S2 OK LOGIN completed
Mon 2021-11-01 17:49:19.750: <-- S3 SELECT "INBOX" Mon 2021-11-01 17:49:19.888: --> * FLAGS (\Seen \Answered \Flagged \Deleted \Draft \Recent $Forwarded $MDNSent)
Mon 2021-11-01 17:49:19.888: --> * 343 EXISTS
Mon 2021-11-01 17:49:19.888: --> * 3 RECENT
Mon 2021-11-01 17:49:19.888: --> * OK [UNSEEN 343] first unseen
Mon 2021-11-01 17:49:19.888: --> * OK [UIDVALIDITY 1396513573] UIDs valid
Mon 2021-11-01 17:49:19.888: --> * OK [UIDNEXT 2683] Predicted next UID
Mon 2021-11-01 17:49:19.888: --> * OK [PERMANENTFLAGS (\Seen \Answered \Flagged \Deleted \Draft $Forwarded $MDNSent)] .
Mon 2021-11-01 17:49:19.888: --> S3 OK [READ-WRITE] SELECT completed
Mon 2021-11-01 17:49:20.203: <-- S4 APPEND "INBOX" {4593} Mon 2021-11-01 17:49:20.207: --> + Ready for append literal
Mon 2021-11-01 17:49:20.537: --> * 344 EXISTS
Mon 2021-11-01 17:49:20.537: --> * 4 RECENT
Mon 2021-11-01 17:49:20.537: --> S4 OK [APPENDUID 1396513573 2683] APPEND completed
Mon 2021-11-01 17:49:20.865: <-- S5 SELECT "INBOX" Mon 2021-11-01 17:49:20.874: --> * FLAGS (\Seen \Answered \Flagged \Deleted \Draft \Recent $Forwarded $MDNSent)
Mon 2021-11-01 17:49:20.874: --> * 344 EXISTS
Mon 2021-11-01 17:49:20.874: --> * 0 RECENT
Mon 2021-11-01 17:49:20.874: --> * OK [UNSEEN 343] first unseen
Mon 2021-11-01 17:49:20.874: --> * OK [UIDVALIDITY 1396513573] UIDs valid
Mon 2021-11-01 17:49:20.874: --> * OK [UIDNEXT 2684] Predicted next UID
Mon 2021-11-01 17:49:20.874: --> * OK [PERMANENTFLAGS (\Seen \Answered \Flagged \Deleted \Draft $Forwarded $MDNSent)] .
Mon 2021-11-01 17:49:20.874: --> S5 OK [READ-WRITE] SELECT completed
Mon 2021-11-01 17:49:21.208: <-- S6 FETCH 344 (RFC822.HEADER) Mon 2021-11-01 17:49:21.208: Sending FETCH response (not logged)... Mon 2021-11-01 17:49:21.220: --> S6 OK FETCH completed
Mon 2021-11-01 17:49:21.547: <-- S7 SELECT "SPAM" Mon 2021-11-01 17:49:21.547: --> S7 NO Mailbox does not exist
Mon 2021-11-01 17:49:21.869: <-- S8 FETCH 0 (RFC822.HEADER) Mon 2021-11-01 17:49:21.869: --> S8 BAD Bad state for FETCH
Mon 2021-11-01 17:49:22.182: <-- S9 LOGOUT Mon 2021-11-01 17:49:22.182: --> * BYE IMAP engine signing off (no errors)
Mon 2021-11-01 17:49:22.182: --> S9 OK LOGOUT completed
Mon 2021-11-01 17:49:22.183: IMAP session complete, (Bytes in/out: 5529/7479)

I know it was added this way, because there is no trace of these emails in the rest of the logs, nothing in the routing log, or in the content filter log. And of course in the SMTP input log

What else can I look at?

These are all the IPs that have been connected in this way, they belong to netprotect.com and HIGHWI

View/reply at Help with LOG
--MD-SUPPORT--------------------------------------------------------------
This list is for questions and discussion about MDAEMON. To unsubscribe 
from this mailing list send an email to md-support-unsubscribe@mdaemon.com .
--POWERED BY MDAEMON!-----------------------------------------------------

--------------------------------------------------------------------------
These forums are provided by MDaemon Technologies for user-to-user 
support and discussion.  MDaemon staff members may participate in the 
forums periodically but please recognize that this is not the official
method of receiving technical support. To receive personal technical 
support please use the form here:
http://www.mdaemon.com/Support/RequestSupport/
--------------------------------------------------------------------------


--MD-SUPPORT--------------------------------------------------------------
This list is for questions and discussion about MDAEMON. To unsubscribe 
from this mailing list send an email to md-support-unsubscribe@mdaemon.com .
--POWERED BY MDAEMON!-----------------------------------------------------

--------------------------------------------------------------------------
These forums are provided by MDaemon Technologies for user-to-user 
support and discussion.  MDaemon staff members may participate in the 
forums periodically but please recognize that this is not the official
method of receiving technical support. To receive personal technical 
support please use the form here:
http://www.mdaemon.com/Support/RequestSupport/
--------------------------------------------------------------------------