[BlueOnyx:01517] Re: Slammed with Spammer

Michael Stauber mstauber at blueonyx.it
Sat Jun 27 14:12:38 PET 2009


Hi Steve,

> Having an issue with an old enemy on a new BO box.
>
> net.tw,
> gov.tw
> org.tw
> net.tw
> com.tw
>
> take your pick.
>
> Some how, they must know one of the emails userid and password on the
> box and are sending 4000 - 5000 spams per hour into my mail queue.
>
> I have turned off PopBeforeSMTP, so probably not sending email out.
> Probably.
>
> How do I tell which account is being used to connect.

cat /var/log/maillog|grep sendmail | grep authid | grep "AUTH=server" | grep -
v 127.0.0.1

All in one line. That shows you every recorded SMTP-Auth login since the start 
of recording in /var/log/maillog - oldest entries first.

It will be quite a list, so you then ought to cut it down a bit.

A possibly better and more sorted overview could be generated this way:

cat /var/log/maillog|grep sendmail | grep authid|grep "AUTH=server" | grep -v 
127.0.0.1|awk '{print " " $7,$8,$9}' | sort -u

Also all in one line.

That output ain't perfect (sometimes the logging format is slightly 
different), but genereally it should allow you to spot which SMTP-Auth users 
is generating the most traffic. Because that username will show up very often.

-- 
With best regards

Michael Stauber




More information about the Blueonyx mailing list