[BlueOnyx:12626] Re: Maximum number of RCPTs for Vhost

Adam Lepp a at netqb.com
Wed Mar 27 12:12:13 -05 2013 

My best suggestion would be to have AV-SPAM scan outgoing mail.

This should be the default setting – do you know why it was changed?

 

 

From: blueonyx-bounces at mail.blueonyx.it
[mailto:blueonyx-bounces at mail.blueonyx.it] On Behalf Of Ken Marcus
Sent: Wednesday, March 27, 2013 12:17 PM
To: BlueOnyx General Mailing List
Subject: [BlueOnyx:12625] Re: Maximum number of RCPTs for Vhost

 

On 3/27/2013 7:21 AM, (NSD) Thomas Petersen wrote:

Anyone ?

 

Fra: blueonyx-bounces at mail.blueonyx.it
[mailto:blueonyx-bounces at mail.blueonyx.it] På vegne af Marcello Torchio
Sendt: 23. marts 2013 07:09
Til: BlueOnyx General Mailing List
Emne: [BlueOnyx:12606] Maximum number of RCPTs for Vhost

 

Good morning sirs (+1 GMT),

i've a few question about sendmail settings.

Recently i have been subject of a spam attack. A mailbox password was stolen
and a bot sends spam through my BO 5108R server.

Honestly I have not noticed the issue until the server has not been put in
some blacklists.

First question, is it possible to have a monitor tool to understand if there
is a spamming activity on the mail server?

For example a threshold number of RCPTs in outgoing messages that can alert
the administrator when exceeded, or the content of messages or i don't
know...
One of the wrong setting was that the outgoing mail were not analyzed by
AvSPAM, but only the incoming mail.

I've reduced the maximum number oc RCPTs to 5. But one of our customer need
to write up to 40 RCPTs.

Second question: Is it possible to setup Vhost dedicated maximum number of
RCPTS?

Have someone of you tips&tricks to monitor and prevent this spam mailing and
blacklisting?

Thanks

Marcello Torchio






_______________________________________________
Blueonyx mailing list
Blueonyx at mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

Marcelo


Here is a perl script that you could run that will tell you is the mailq is
large

#!/usr/bin/perl
##################################################################
# This script will check the mailq and email if it is over 200
#################################################################
use MIME::Lite;


$mailq = `ls /var/spool/mqueue | grep df -c`;
chomp ($mailq);

$serverdomain = "someserver.com";

$alertsto =  <mailto:123456789\@txt.att.nett> "123456789\@txt.att.net t";

if ($mailq > 200) {
  print "mailq count is $mailq";
  #email me
$emailbody = "The mailq count is $mailq on the $serverdomain server. <BR>
Check for spamming issues.<BR>";
$emailbody .= "The mailq command on the server is: mailq <BR>
Generally the method I use to find the culprit is:<BR>
-Type mailq and note one of the mail id numbers, eg. oBLJkG8L005990    <BR>
That id will correspond to 2 files in the /var/lpool/mqueue/ <BR>
e.g.  dfoBLJkG8L005990  and qfoBLJkG8L005990 <BR> <BR>

- Then to see if it is spam, look at the content of that file by typing <BR>

cat /var/spool/mqueue/*oBLJkG8L005990<BR>
or<BR>
cat /var/spool/mqueue/*oBLJkG8L005990 | more <BR><BR>

- Then you can cat the maillog and grep for the IP address or email address.
<BR>
That should show you the authid that they are using so send with; e.g. elisa
<BR><BR>

- To see which site elisa belings to you can  type cd ~elisa <BR>
Then ls -al  and note the site number. <BR>
Then ls -la /home/sites/ | grep site[thesitenumberhere] <BR> <BR>
Then change the pass for that user. <BR>
Then delete the outgoing spam files <BR> <BR>

Or, if the sender of the spam is apache, then a php script is sending the
spam. <BR>
In that case, check the maillog for the send times. Then crosscheck the
times with the the command<BR>
cat  /var/log/httpd/access_log | grep php  | grep [thetime]<BR>
e.g.  cat  /var/log/httpd/access_log | grep php  | grep 12:40<BR>
Then move the compromised script. <BR>


";

my $msg = MIME::Lite->new
(
Subject => "Large mailq for $serverdomain",        
>From    => "$alertsto",
To      => $alertsto,
Cc      => "$alertsto",
Type    => 'text/html',
Data    => "$emailbody"
);

$msg->send();

   
}










Ken Marcus

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20130327/ca6afbfe/attachment.html>

More information about the Blueonyx mailing list