[BlueOnyx:01517] Re: Slammed with Spammer
Michael Stauber
mstauber at blueonyx.it
Sat Jun 27 14:12:38 -05 2009
Hi Steve,
> Having an issue with an old enemy on a new BO box.
>
> net.tw,
> gov.tw
> org.tw
> net.tw
> com.tw
>
> take your pick.
>
> Some how, they must know one of the emails userid and password on the
> box and are sending 4000 - 5000 spams per hour into my mail queue.
>
> I have turned off PopBeforeSMTP, so probably not sending email out.
> Probably.
>
> How do I tell which account is being used to connect.
cat /var/log/maillog|grep sendmail | grep authid | grep "AUTH=server" | grep -
v 127.0.0.1
All in one line. That shows you every recorded SMTP-Auth login since the start
of recording in /var/log/maillog - oldest entries first.
It will be quite a list, so you then ought to cut it down a bit.
A possibly better and more sorted overview could be generated this way:
cat /var/log/maillog|grep sendmail | grep authid|grep "AUTH=server" | grep -v
127.0.0.1|awk '{print " " $7,$8,$9}' | sort -u
Also all in one line.
That output ain't perfect (sometimes the logging format is slightly
different), but genereally it should allow you to spot which SMTP-Auth users
is generating the most traffic. Because that username will show up very often.
--
With best regards
Michael Stauber
More information about the Blueonyx
mailing list