William,
If you think an account is compromised you may want to look at the proxy, MTA, or mailbox logs to see what IP that possibly compromised account is logging in from. If it comes from a suspect location (country), network, or ISP, you may be able to determine that it was indeed compromised.
Regards,
Pablo Garaitonandia
Penn State University
ITS, Applied Information Technologies
(814) 865-6385
pablo@psu.edu
From: "William Froning" <wfroning@aus.edu>
To: "Zimbra Higher-Ed Admins" <zimbra-hied-admins@sfu.ca>
Sent: Sunday, May 26, 2013 12:09:16 AM
Subject: LDAP Change Log
Hello All,
I was wondering how you all are monitoring Zimbra LDAP change events. I can't seem to find the right log (if it is even enabled) to watch for account changes that might suggest a compromised account.
We are running 7.2.1. Any assistance is welcome.
Thanks,
Will
--
Will Froning
Information Security Manager
Office of the Vice Chancellor for Finance and Administration
American University of Sharjah
Tel +971 6 515 2124
Mob +971 50 737 1599
Fax +971 6 515 2120
PO Box 26666, Sharjah
United Arab Emirates
http://www.aus.edu
wfroning@aus.edu