On Mon, 5 May 2008, [EMAIL PROTECTED] wrote:
> Like many other institutions, we've got a problem with compromised
> accounts being used to send spam. I know that the new version of Horde
> / IMP will allow people to place limits on outbound mail... but there
> is some concern in our organization that those methods will create
> problems for some legitimate users.
>
> Anyhoo.. I was wondering if anyone has written tools to monitor their
> sendmail logs / webserver transfer logs for suspicious activity (or for
> noticing that their servers have been added to RBLs). Or if anyone is
> using tools that do these things, or would be interested discussing the
> development of tools or strategies
I have a really simple script I run against the postfix logs on our
Webmail servers:
#!/bin/sh
cat /var/log/hosts/webmail?/mail/* | perl -e 'while(<STDIN>) { if (/
nrcpt=(\d+) /) { $cnt = $1; if ($cnt > 99) { print } } }'
All that does is find anyone sending to 100 or more recipients at a time.
Andy
--
IMP mailing list - Join the hunt: http://horde.org/bounties/#imp
Frequently Asked Questions: http://horde.org/faq/
To unsubscribe, mail: [EMAIL PROTECTED]
