On Mon, 5 May 2008, [EMAIL PROTECTED] wrote: > Like many other institutions, we've got a problem with compromised > accounts being used to send spam. I know that the new version of Horde > / IMP will allow people to place limits on outbound mail... but there > is some concern in our organization that those methods will create > problems for some legitimate users. > > Anyhoo.. I was wondering if anyone has written tools to monitor their > sendmail logs / webserver transfer logs for suspicious activity (or for > noticing that their servers have been added to RBLs). Or if anyone is > using tools that do these things, or would be interested discussing the > development of tools or strategies
I have a really simple script I run against the postfix logs on our Webmail servers: #!/bin/sh cat /var/log/hosts/webmail?/mail/* | perl -e 'while(<STDIN>) { if (/ nrcpt=(\d+) /) { $cnt = $1; if ($cnt > 99) { print } } }' All that does is find anyone sending to 100 or more recipients at a time. Andy -- IMP mailing list - Join the hunt: http://horde.org/bounties/#imp Frequently Asked Questions: http://horde.org/faq/ To unsubscribe, mail: [EMAIL PROTECTED]