That's super interesting (sorry for my late response here).
One thing that comes to mind reading the way you process the emails, is the
amount of false-positive you might get by implementing scripts that way.
I've been trying to do the same on our end, trying to automate the search
of abuses and notifying me of any suspicious activity, and there are
unfortunately many false positives that pop up, requiring more work to be
implemented.
I feel like it's a whack-a-mole game, but I definitely share the idea that
the human brain has the capacity of filtering out specific data that a
script can hardly produce by default.
When we have an issue arising, I tend to open the logs and just look at
them, and often, a pattern emerges.
Thank you for sharing your structure and your scripts, I really appreciate
it!
Good luck on fighting abusers.
Best,
Cyril
Le dim. 24 avr. 2022 à 02:36, Byung-Hee HWANG via mailop <mailop@mailop.org>
a écrit :
> (... sorry for top-posting ...)
>
> Dear Jarland,
>
> In the whole story, i feel that you are NICE guy!
> NICE(= faithful + technical + reasonable)
>
> Thanks ^^^
>
> Sincerely, Linux fan Byung-Hee
>
> Jarland Donnell via mailop <mailop@mailop.org> writes:
>
> > It's a good topic, and one I'm fairly passionate about. Obviously at
> > small scale it's super easy to tell when anything is off from normal,
> > but as you grow it's more difficult to rely on eyes and ears. But that
> > was kind of my dream: I want to be as present as though I'm one admin,
> > logged into one machine, merely watching it function and asking "Why?"
> > when something unusual happens (CPU spike, queue higher than it's been
> > this year to date, a flood of connections from X IP, etc). I want to
> > scale that, I want to scale me.
> >
> > So that's really what I do. I just scale me. If you were sitting in an
> > SSH session tailing a log and just watching for anything that sets off
> > a mental alarm, what would the things be that would trigger that
> > mental alarm? I take the answer to that and have automated checks
> > which then do one of two things:
> >
> > 1. Alert me for human review.
> > 2. Perform the reaction that I would have performed if I were sitting
> > there watching at the time.
> >
> > It can be kind of a mess but right now I'm at over 14,000 clients
> > (exponentially more if counting customers of my customers) and growing
> > rapidly. Thus far I've been able to grow myself by way of coding
> > checks and balances that operate like I think. That's pretty vague so
> > I'll give an example.
> >
> > In rspamd I have this map configured:
> >
> > COMPD_RCPT {
> > type = "rcpt";
> > header = "subject";
> > filter = "email";
> > map = "${LOCAL_CONFDIR}/local.d/compd_rcpt.map";
> > symbol = "COMPD_RCPT";
> > prefilter = true;
> > action = "reject";
> > regexp = true;
> > }
> >
> > Then I have this running on cron:
> >
> >
> https://paste.mxrouteapps.com/?6603394e7d823164#4r5qkNXATJTko55DWmwxjrrbTLCvJ9t5ry61cf5zfHE5
> >
> > Every morning I get up and I check /root/ALERT_RCPT.log and then open
> > a ticket with the customer. This is where the next automation will be
> > as the scale continues to grow, automatically targeting the user and
> > opening a ticket with them.
> >
> > Now what that map does, it lists the recipient emails used by specific
> > spammers who send "test" emails to verify SMTP credentials before they
> > start a campaign. Most of them use the same recipient email every
> > time, so all I have to do is look for it and know "That user's
> > password is compromised."
> >
> > For even more fun, I have a basic HTML page hidden behind
> > authentication which lists two columns. On one side, the top 15
> > senders of this hour. On the other side, the top 15 senders of the
> > last hour. Forcing yourself to be familiar with the top users of your
> > platform by observing how much of your infrastructure they are
> > utilizing creates a mental place where you can immediately recognize
> > when something is off. Toss it on a monitor, have the entire abuse
> > team just stare at it every time they glance away from their
> > work. While you might think that would outgrow it's usefulness with
> > scale, I've worked at large enough scale that I simply don't think it
> > to be so. The top resource users on your platform will change over
> > time, but the vast majority will always be too low utilization to be
> > noteworthy.
> >
> > Even still, if it were to be outgrown, a good database system could
> > keep track of senders enough to say "This person who only sent 1 email
> > a day for the last year just sent 600, might be worth checking the
> > logs to see if they're alright."
> >
> > And that's really where it all comes back to: What do I want to know?
> > What would concern me to see? What would I do if I saw it? Then, quite
> > simply, turn that logic into code and make it work for you.
> >
> > Hope that wasn't too vague to be useful!
> >
> > Jarland
>
> --
> ^고맙습니다 _布德天下_ 감사합니다_^))//
> _______________________________________________
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop
>
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
