[BlueOnyx:17399] Re: Detecting compromised mail accounts

Jeff Keller jeff at datatune.com
Thu Apr 2 08:47:54 -05 2015 

Thank you for the script suggestions.  I'll give those a shot!

Jeff

On Wed, Apr 1, 2015 at 11:30 PM, Gustavo Silva <beatwiz at gmail.com> wrote:

> Maybe I digressed a bit on my last email, I do that a lot, so please
> forgive me for the excessive non-related info, that wil probably kill your
> server and then make me feel bad! :D
>
> Staying on topic, log checking is great and even if you cant get stuff to
> show up on the gui, you can at the very least to work shellscripts that can
> be added to cron who will send you an alert when certain treshesholds were
> hit, or lets say a daily statistic.
>
> Hope this helps!
> Gustavo
>
> 2015-04-02 7:24 GMT+01:00 Gustavo Silva <beatwiz at gmail.com>:
>
>> Yeah I used to run a bunch of shellscript that actually walk through the
>> logs and shows the count of incoming/outgoing mail for distinct emails.
>>
>> As an example, this one uses ctladdr to check who sent how many emails in
>> the last 9999 log lines
>>
>> tail -9999 /var/log/maillog | grep "ctladdr" | awk -F',' '{ print $2 }' |
>> awk '{ print $1 }' | grep ctladdr | sort | uniq -c
>>
>> Anyway in my personal experience i find it best to limit the email rates
>> sendmail milter level and only allow a certain emails to get in/out per
>> hour because when an account gets spammed most of the time its overnight,
>> you only realize it in the morning when your IP address is already on all
>> spam lists and 300 people calling at the same time.
>>
>> So IMHO its best to enforce some strict guerilla tactics if you're
>> dealing with spammy customers like lowering the number of CC/BCC addresses
>> at sendmail level and implement some milter-limit.
>>
>> ^^^^^^^ This is bound to break things if not done properly and might not
>> survive a version update! Im just sharing my experience and a different
>> view on things :D
>>
>> Good luck!
>>
>>
>>
>> 2015-04-02 6:47 GMT+01:00 Tigerwolf <tigerwolf at tigerden.com>:
>>
>>> On Wed, 1 Apr 2015, Jeff Keller wrote:
>>>
>>> > Is there no way to get "top senders" (either by user or domain) from
>>> the
>>> > GUI?
>>>
>>> I don't know of anything off the shelf, but if you trust the sendmail
>>> logs
>>> to reflect who sends what, I'd think a script to parse the log by sender,
>>> then count the results along the general idea of:
>>>
>>>      For usernames in userlist
>>>        echo username
>>>        grep -c "from=username" /var/log/maillog
>>>
>>> If you want to see it from a browser, then just make an html template
>>> page
>>> and have the script stuff it's output into the template.
>>>
>>> _______________________________________________
>>> Blueonyx mailing list
>>> Blueonyx at mail.blueonyx.it
>>> http://mail.blueonyx.it/mailman/listinfo/blueonyx
>>>
>>
>>
>>
>> --
>> Um abraço,
>> Gustavo
>>
>
>
>
> --
> Um abraço,
> Gustavo
>
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at mail.blueonyx.it
> http://mail.blueonyx.it/mailman/listinfo/blueonyx
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20150402/e4b1f173/attachment.html>

More information about the Blueonyx mailing list