Sure -- happy to share... it's pretty brute force, but I don't have a
lot of time for "clean" development!
Remember: I reset the name of my mtrack command to qmtrack... (Bolding
the non-commented lines is just my way of making them stand out)
#! /bin/bash
# $0 (or check-failures.sh) - (should run every 15 minutes from a
cron job... so ensure there is no output!)
# NOTE: If run with no arguments (e.g. from cron), the report is run
for TODAY
# if 1 argument, the report is run for the STARTING VALUE entered
# $0 11 would run the report for all of November
# $0 11-11 would run the report solely for November 11 (no matter
what day today is)
# if 2 arguments, the report is run for the MONTH and DAY provided
# $0 11 11 would run the report for November 11 (no matter what
day today is)
#
# Delete old log files
*rm -f /tmp/send**
#
# Process Args
*if [ $# -eq 0 ] ; then**
** TODAY=`/bin/date +"%m-%d"`**
**elif [ $# -eq 1 ] ; then**
** TODAY="$1"**
**elif [ $# -eq 2 ] ; then**
** TODAY="$1-$2"**
**else**
** echo "Usage: $0 [month] | [month] [day] " 1>&2**
exit 1
**fi**
*#
# Create "nice" logs for the period requested
*/usr/sbin/qmlog send | grep "^${TODAY}" > /tmp/send-${TODAY}*
# Look for faliures
*/it4soho/sbin/qmtrack -p fail /tmp/send-${TODAY} >
/tmp/send-${TODAY}-fail*
# Count failures*
**FAILURES=`grep 'failure:' /tmp/send-${TODAY}-fail | wc -l`*
# If too many, send an email
*if [ $FAILURES -gt 100 ] ; then**
** mail -s "TOO MANY MAIL SYSTEM FAILURES" */u...@domain.com /*<<
-EOL**
**There have been $FAILURES failed message attempts so far today.**
**Please check the server ASAP to prevent blacklistings**
**-EOL**
**fi*
# Done.
I hope you find it useful...
Dan McAllister
IT4SOHO
QMT DNS/Mirror Admin
On 11/4/2013 9:00 PM, LHTek wrote:
Dan,
I'm curious in this script you run every 15 minutes...
Is that something you can share?
Thanks,
Denny
------------------------------------------------------------------------
*From:* Dan McAllister <q...@it4soho.com>
*To:* qmailtoaster-list@qmailtoaster.com
*Sent:* Monday, November 4, 2013 5:27 PM
*Subject:* Re: [qmailtoaster] plague caused by virus
On 11/4/2013 3:27 PM, Nicholas Chua wrote:
Hi,
I am receiving an average of 13 new virus each day. Due to these
virus, email accounts passwords are stolen and caused massive
spams from the server. Valuable time is wasted to delist our IP
and to maintain a private list of a virus database which till
date 100+ virus are still not detected by clamav.
This server is housing about 600 users. We were not experience
this issue since 4 months ago. Anyone out there would like to
share your experience fighting virus?
Thanks
nic
Nic:
You'll need to look to your qmail-send logs to see the users who
are sending messages that are failing. For virus infected systems,
you'll see the messages going out to 20 or so addresses at a time,
most of which will be invalid.
Once you identify a hacked user, change their password & decline
to give them the new password until they can demonstrate that
they've run a full virus scan on their system.
It is because of issues like this that I keep a 15-minute timer on
my larger mail systems... every 15 minutes, I count how many
failed messages there have been so far today. When the value
reaches 100, I look into it and usually find ONE USER who is
responsible for the vast majority of them, and I immediately
suspend that user as described above (I just change the password).
The problems with your idea of resting on clamav for virus
protection includes:
1) you're assuming clamav is scanning messages from your users --
which in a stock QMT, it is not. It only scans messages coming in
on port 25 received without authentication (e.g. inbound mail, not
outbound mail);
2) you're assuming virus infections are spreading as attachments
-- usually they are nothing but links... which usually get opened
and infect clients because stupid, lazy users keep their mail
clients set to having a preview pane and to showing html content
always... thus, the swear they didn't OPEN the infecting message
-- but their preview pane sure did!
3) you're assuming you're being blacklisted because of SPAM or
virus contents -- usually you hit the blacklists because you send
SPAM to "honeypot" addresses, or you keep hitting sites over and
over again with invalid addresses (considered fishing).
So, if this started a few days ago, start by extracting the log
files, one day at a time, for the past week.
1) use qmlog to scan ALL available logs (not just the "current" file
2) pipe the output of qmlog into grep and sort out all entries
for the given day (e.g. | grep "^10-31")
3) put the results into a /tmp file (I would use /
4) use the [q]mtrack program I mentioned just earlier today to
examine JUST THAT FILE, and look for messages that have multiple
recipients.
I hope this points you in the right direction...
Dan
IT4SOHO
QMT DNS/Mirror Admin
--
PLEASE TAKE NOTE OF OUR NEW ADDRESS
===================================
IT4SOHO, LLC
33 - 4th Street N, Suite 211
St. Petersburg, FL 33701-3806
CALL TOLL FREE:
877-IT4SOHO
877-484-7646 Phone
727-647-7646 Local
727-490-4394 Fax
We have support plans for QMail!
--
PLEASE TAKE NOTE OF OUR NEW ADDRESS
===================================
IT4SOHO, LLC
33 - 4th Street N, Suite 211
St. Petersburg, FL 33701-3806
CALL TOLL FREE:
877-IT4SOHO
877-484-7646 Phone
727-647-7646 Local
727-490-4394 Fax
We have support plans for QMail!
