On 10/14/14, 10:34 AM, Bob OHara wrote:

Hello
 
We use Roundcube for our ISP's domain customer webmail. An account has been compromised and the spammers reply to addy put in. Any way to find which account contains this address in reply to without logging in to them all?
 
Bob

You could run queries against the database directly. You need to look at both the email and reply-to entries. For example, if all your users should have reply-to at "yourdomain.com", some queries I'd use to find this would be:

SELECT user_id, email, `reply-to` FROM identities WHERE `reply-to` NOT LIKE '%yourdomain.com' AND `reply-to` != '';
SELECT user_id, email, `reply-to` FROM identities WHERE email NOT LIKE '%yourdomain.com';

When you see the wrong entry in the results of one of those two queries, make note of the user_id and run the the following:

SELECT username FROM users WHERE user_id = 0000;

That should identify the user or users with the compromised account(s).

-- 
Arne Berglund System Administrator, Internet Services Lane Education Service District Eugene, OR ____________