(... sorry for top-posting ...) Dear Jarland,
In the whole story, i feel that you are NICE guy! NICE(= faithful + technical + reasonable) Thanks ^^^ Sincerely, Linux fan Byung-Hee Jarland Donnell via mailop <mailop@mailop.org> writes: > It's a good topic, and one I'm fairly passionate about. Obviously at > small scale it's super easy to tell when anything is off from normal, > but as you grow it's more difficult to rely on eyes and ears. But that > was kind of my dream: I want to be as present as though I'm one admin, > logged into one machine, merely watching it function and asking "Why?" > when something unusual happens (CPU spike, queue higher than it's been > this year to date, a flood of connections from X IP, etc). I want to > scale that, I want to scale me. > > So that's really what I do. I just scale me. If you were sitting in an > SSH session tailing a log and just watching for anything that sets off > a mental alarm, what would the things be that would trigger that > mental alarm? I take the answer to that and have automated checks > which then do one of two things: > > 1. Alert me for human review. > 2. Perform the reaction that I would have performed if I were sitting > there watching at the time. > > It can be kind of a mess but right now I'm at over 14,000 clients > (exponentially more if counting customers of my customers) and growing > rapidly. Thus far I've been able to grow myself by way of coding > checks and balances that operate like I think. That's pretty vague so > I'll give an example. > > In rspamd I have this map configured: > > COMPD_RCPT { > type = "rcpt"; > header = "subject"; > filter = "email"; > map = "${LOCAL_CONFDIR}/local.d/compd_rcpt.map"; > symbol = "COMPD_RCPT"; > prefilter = true; > action = "reject"; > regexp = true; > } > > Then I have this running on cron: > > https://paste.mxrouteapps.com/?6603394e7d823164#4r5qkNXATJTko55DWmwxjrrbTLCvJ9t5ry61cf5zfHE5 > > Every morning I get up and I check /root/ALERT_RCPT.log and then open > a ticket with the customer. This is where the next automation will be > as the scale continues to grow, automatically targeting the user and > opening a ticket with them. > > Now what that map does, it lists the recipient emails used by specific > spammers who send "test" emails to verify SMTP credentials before they > start a campaign. Most of them use the same recipient email every > time, so all I have to do is look for it and know "That user's > password is compromised." > > For even more fun, I have a basic HTML page hidden behind > authentication which lists two columns. On one side, the top 15 > senders of this hour. On the other side, the top 15 senders of the > last hour. Forcing yourself to be familiar with the top users of your > platform by observing how much of your infrastructure they are > utilizing creates a mental place where you can immediately recognize > when something is off. Toss it on a monitor, have the entire abuse > team just stare at it every time they glance away from their > work. While you might think that would outgrow it's usefulness with > scale, I've worked at large enough scale that I simply don't think it > to be so. The top resource users on your platform will change over > time, but the vast majority will always be too low utilization to be > noteworthy. > > Even still, if it were to be outgrown, a good database system could > keep track of senders enough to say "This person who only sent 1 email > a day for the last year just sent 600, might be worth checking the > logs to see if they're alright." > > And that's really where it all comes back to: What do I want to know? > What would concern me to see? What would I do if I saw it? Then, quite > simply, turn that logic into code and make it work for you. > > Hope that wasn't too vague to be useful! > > Jarland -- ^고맙습니다 _布德天下_ 감사합니다_^))// _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop