(... sorry for top-posting ...)
Dear Jarland,
In the whole story, i feel that you are NICE guy!
NICE(= faithful + technical + reasonable)
Thanks ^^^
Sincerely, Linux fan Byung-Hee
Jarland Donnell via mailop <mailop@mailop.org> writes:
> It's a good topic, and one I'm fairly passionate about. Obviously at
> small scale it's super easy to tell when anything is off from normal,
> but as you grow it's more difficult to rely on eyes and ears. But that
> was kind of my dream: I want to be as present as though I'm one admin,
> logged into one machine, merely watching it function and asking "Why?"
> when something unusual happens (CPU spike, queue higher than it's been
> this year to date, a flood of connections from X IP, etc). I want to
> scale that, I want to scale me.
>
> So that's really what I do. I just scale me. If you were sitting in an
> SSH session tailing a log and just watching for anything that sets off
> a mental alarm, what would the things be that would trigger that
> mental alarm? I take the answer to that and have automated checks
> which then do one of two things:
>
> 1. Alert me for human review.
> 2. Perform the reaction that I would have performed if I were sitting
> there watching at the time.
>
> It can be kind of a mess but right now I'm at over 14,000 clients
> (exponentially more if counting customers of my customers) and growing
> rapidly. Thus far I've been able to grow myself by way of coding
> checks and balances that operate like I think. That's pretty vague so
> I'll give an example.
>
> In rspamd I have this map configured:
>
> COMPD_RCPT {
> type = "rcpt";
> header = "subject";
> filter = "email";
> map = "${LOCAL_CONFDIR}/local.d/compd_rcpt.map";
> symbol = "COMPD_RCPT";
> prefilter = true;
> action = "reject";
> regexp = true;
> }
>
> Then I have this running on cron:
>
> https://paste.mxrouteapps.com/?6603394e7d823164#4r5qkNXATJTko55DWmwxjrrbTLCvJ9t5ry61cf5zfHE5
>
> Every morning I get up and I check /root/ALERT_RCPT.log and then open
> a ticket with the customer. This is where the next automation will be
> as the scale continues to grow, automatically targeting the user and
> opening a ticket with them.
>
> Now what that map does, it lists the recipient emails used by specific
> spammers who send "test" emails to verify SMTP credentials before they
> start a campaign. Most of them use the same recipient email every
> time, so all I have to do is look for it and know "That user's
> password is compromised."
>
> For even more fun, I have a basic HTML page hidden behind
> authentication which lists two columns. On one side, the top 15
> senders of this hour. On the other side, the top 15 senders of the
> last hour. Forcing yourself to be familiar with the top users of your
> platform by observing how much of your infrastructure they are
> utilizing creates a mental place where you can immediately recognize
> when something is off. Toss it on a monitor, have the entire abuse
> team just stare at it every time they glance away from their
> work. While you might think that would outgrow it's usefulness with
> scale, I've worked at large enough scale that I simply don't think it
> to be so. The top resource users on your platform will change over
> time, but the vast majority will always be too low utilization to be
> noteworthy.
>
> Even still, if it were to be outgrown, a good database system could
> keep track of senders enough to say "This person who only sent 1 email
> a day for the last year just sent 600, might be worth checking the
> logs to see if they're alright."
>
> And that's really where it all comes back to: What do I want to know?
> What would concern me to see? What would I do if I saw it? Then, quite
> simply, turn that logic into code and make it work for you.
>
> Hope that wasn't too vague to be useful!
>
> Jarland
--
^고맙습니다 _布德天下_ 감사합니다_^))//
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
