[BlueOnyx:12625] Re: Maximum number of RCPTs for Vhost

[Ken Marcus]

On 3/27/2013 7:21 AM, (NSD) Thomas Petersen wrote:
>
> Anyone ?
>
> *Fra:*blueonyx-bounces at mail.blueonyx.it 
> [mailto:blueonyx-bounces at mail.blueonyx.it] *På vegne af *Marcello Torchio
> *Sendt:* 23. marts 2013 07:09
> *Til:* BlueOnyx General Mailing List
> *Emne:* [BlueOnyx:12606] Maximum number of RCPTs for Vhost
>
> Good morning sirs (+1 GMT),
>
> i've a few question about sendmail settings.
>
> Recently i have been subject of a spam attack. A mailbox password was 
> stolen and a bot sends spam through my BO 5108R server.
>
> Honestly I have not noticed the issue until the server has not been 
> put in some blacklists.
>
> First question, is it possible to have a monitor tool to understand if 
> there is a spamming activity on the mail server?
>
> For example a threshold number of RCPTs in outgoing messages that can 
> alert the administrator when exceeded, or the content of messages or i 
> don't know...
> One of the wrong setting was that the outgoing mail were not analyzed 
> by AvSPAM, but only the incoming mail.
>
> I've reduced the maximum number oc RCPTs to 5. But one of our customer 
> need to write up to 40 RCPTs.
>
> Second question: Is it possible to setup Vhost dedicated maximum 
> number of RCPTS?
>
> Have someone of you tips&tricks to monitor and prevent this spam 
> mailing and blacklisting?
>
> Thanks
>
> Marcello Torchio
>
>
>
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at mail.blueonyx.it
> http://mail.blueonyx.it/mailman/listinfo/blueonyx
Marcelo


Here is a perl script that you could run that will tell you is the mailq 
is large

#!/usr/bin/perl
##################################################################
# This script will check the mailq and email if it is over 200
#################################################################
use MIME::Lite;


$mailq = `ls /var/spool/mqueue | grep df -c`;
chomp ($mailq);

$serverdomain = "someserver.com";

$alertsto = "123456789\@txt.att.net t";

if ($mailq > 200) {
   print "mailq count is $mailq";
   #email me
$emailbody = "The mailq count is $mailq on the $serverdomain server. 
<BR> Check for spamming issues.<BR>";
$emailbody .= "The mailq command on the server is: mailq <BR>
Generally the method I use to find the culprit is:<BR>
-Type mailq and note one of the mail id numbers, eg. oBLJkG8L005990    <BR>
That id will correspond to 2 files in the /var/lpool/mqueue/ <BR>
e.g.  dfoBLJkG8L005990  and qfoBLJkG8L005990 <BR> <BR>

- Then to see if it is spam, look at the content of that file by typing 
<BR>
cat /var/spool/mqueue/*oBLJkG8L005990<BR>
or<BR>
cat /var/spool/mqueue/*oBLJkG8L005990 | more <BR><BR>

- Then you can cat the maillog and grep for the IP address or email 
address. <BR>
That should show you the authid that they are using so send with; e.g. 
elisa <BR><BR>

- To see which site elisa belings to you can  type cd ~elisa <BR>
Then ls -al  and note the site number. <BR>
Then ls -la /home/sites/ | grep site[thesitenumberhere] <BR> <BR>
Then change the pass for that user. <BR>
Then delete the outgoing spam files <BR> <BR>

Or, if the sender of the spam is apache, then a php script is sending 
the spam. <BR>
In that case, check the maillog for the send times. Then crosscheck the 
times with the the command<BR>
cat  /var/log/httpd/access_log | grep php  | grep [thetime]<BR>
e.g.  cat  /var/log/httpd/access_log | grep php  | grep 12:40<BR>
Then move the compromised script. <BR>


";

my $msg = MIME::Lite->new
(
Subject => "Large mailq for $serverdomain",
>From    => "$alertsto",
To      => $alertsto,
Cc      => "$alertsto",
Type    => 'text/html',
Data    => "$emailbody"
);

$msg->send();


}










Ken Marcus

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20130327/2d928af2/attachment.html>