[BlueOnyx:17397] Re: Detecting compromised mail accounts

Gustavo Silva beatwiz at gmail.com
Thu Apr 2 01:24:32 -05 2015 

Yeah I used to run a bunch of shellscript that actually walk through the
logs and shows the count of incoming/outgoing mail for distinct emails.

As an example, this one uses ctladdr to check who sent how many emails in
the last 9999 log lines

tail -9999 /var/log/maillog | grep "ctladdr" | awk -F',' '{ print $2 }' |
awk '{ print $1 }' | grep ctladdr | sort | uniq -c

Anyway in my personal experience i find it best to limit the email rates
sendmail milter level and only allow a certain emails to get in/out per
hour because when an account gets spammed most of the time its overnight,
you only realize it in the morning when your IP address is already on all
spam lists and 300 people calling at the same time.

So IMHO its best to enforce some strict guerilla tactics if you're dealing
with spammy customers like lowering the number of CC/BCC addresses at
sendmail level and implement some milter-limit.

^^^^^^^ This is bound to break things if not done properly and might not
survive a version update! Im just sharing my experience and a different
view on things :D

Good luck!



2015-04-02 6:47 GMT+01:00 Tigerwolf <tigerwolf at tigerden.com>:

> On Wed, 1 Apr 2015, Jeff Keller wrote:
>
> > Is there no way to get "top senders" (either by user or domain) from the
> > GUI?
>
> I don't know of anything off the shelf, but if you trust the sendmail logs
> to reflect who sends what, I'd think a script to parse the log by sender,
> then count the results along the general idea of:
>
>      For usernames in userlist
>        echo username
>        grep -c "from=username" /var/log/maillog
>
> If you want to see it from a browser, then just make an html template page
> and have the script stuff it's output into the template.
>
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at mail.blueonyx.it
> http://mail.blueonyx.it/mailman/listinfo/blueonyx
>



-- 
Um abraço,
Gustavo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20150402/200ea1c3/attachment.html>

More information about the Blueonyx mailing list