[BlueOnyx:17395] Re: Detecting compromised mail accounts

Jeff Keller jeff at datatune.com
Wed Apr 1 23:07:17 -05 2015 

Thanks Tigerwolf.  I'm running 5208 and I've started monitoring network
traffic which should help me detect the big waves, but I was hoping to be
able to find a simple report in the GUI that I could look at from week to
week to see if any users or domains have had an unexpected jump in
traffic.  I can grep it out of the logs, but hitting the GUI from my phone
would be convenient.

Is there no way to get "top senders" (either by user or domain) from the
GUI?

Jeff

On Tue, Mar 31, 2015 at 10:19 PM, Tigerwolf <tigerwolf at tigerden.com> wrote:

> On Wed, 1 Apr 2015, Ernie wrote:
>
> > line, and use the mailq as root or sudo to see if a mass of spam is going
> > out, as a rule it will be choking the mail queue. Then you examine the
> > headers in /var/spool/mqueue to see who send the spam so you can figure
> out
> > the compromised user.
>
> Often, spammers will upload an entire self-contained spam system and list
> of target addresses and spew from that.  Local logs will show NOTHING as
> none of the local mail programs are being used.  To further complicate
> things, the spam system self-erases itself and leaves no trace once it's
> finished.  FTP logs also may not show anything if they used SSH for
> transfer.
>
> If you have an older BX version, I'd recommend installing "vnstat" which
> makes nice historical graphs of a designated network interface with
> hourly, daily, and monthly use both in and outbound.  You can look at
> in/out traffic with a browser using a companion program that reads the
> data and makes the graphics for a simple web page.  Newer BX versions
> already include a similar program as part of the GUI, but I forget the
> name.
>
> Another quick-look kind of program is "iftop" which shows traffic on all
> ports of an interface.  It's good for spotting something that's spewing
> outbound, or attacking inbound.
>
>
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at mail.blueonyx.it
> http://mail.blueonyx.it/mailman/listinfo/blueonyx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20150401/82869657/attachment.html>

More information about the Blueonyx mailing list