On 3/27/2013 7:21 AM, (NSD) Thomas Petersen wrote:

Anyone ?

*Fra:*blueonyx-boun...@mail.blueonyx.it [mailto:blueonyx-boun...@mail.blueonyx.it] *På vegne af *Marcello Torchio
*Sendt:* 23. marts 2013 07:09
*Til:* BlueOnyx General Mailing List
*Emne:* [BlueOnyx:12606] Maximum number of RCPTs for Vhost

Good morning sirs (+1 GMT),

i've a few question about sendmail settings.

Recently i have been subject of a spam attack. A mailbox password was stolen and a bot sends spam through my BO 5108R server.

Honestly I have not noticed the issue until the server has not been put in some blacklists.

First question, is it possible to have a monitor tool to understand if there is a spamming activity on the mail server?

For example a threshold number of RCPTs in outgoing messages that can alert the administrator when exceeded, or the content of messages or i don't know... One of the wrong setting was that the outgoing mail were not analyzed by AvSPAM, but only the incoming mail.

I've reduced the maximum number oc RCPTs to 5. But one of our customer need to write up to 40 RCPTs.

Second question: Is it possible to setup Vhost dedicated maximum number of RCPTS?

Have someone of you tips&tricks to monitor and prevent this spam mailing and blacklisting?

Thanks

Marcello Torchio



_______________________________________________
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx
Marcelo


Here is a perl script that you could run that will tell you is the mailq is large

#!/usr/bin/perl
##################################################################
# This script will check the mailq and email if it is over 200
#################################################################
use MIME::Lite;


$mailq = `ls /var/spool/mqueue | grep df -c`;
chomp ($mailq);

$serverdomain = "someserver.com";

$alertsto = "123456789\@txt.att.net t";

if ($mailq > 200) {
  print "mailq count is $mailq";
  #email me
$emailbody = "The mailq count is $mailq on the $serverdomain server. <BR> Check for spamming issues.<BR>";
$emailbody .= "The mailq command on the server is: mailq <BR>
Generally the method I use to find the culprit is:<BR>
-Type mailq and note one of the mail id numbers, eg. oBLJkG8L005990    <BR>
That id will correspond to 2 files in the /var/lpool/mqueue/ <BR>
e.g.  dfoBLJkG8L005990  and qfoBLJkG8L005990 <BR> <BR>

- Then to see if it is spam, look at the content of that file by typing <BR>
cat /var/spool/mqueue/*oBLJkG8L005990<BR>
or<BR>
cat /var/spool/mqueue/*oBLJkG8L005990 | more <BR><BR>

- Then you can cat the maillog and grep for the IP address or email address. <BR> That should show you the authid that they are using so send with; e.g. elisa <BR><BR>

- To see which site elisa belings to you can  type cd ~elisa <BR>
Then ls -al  and note the site number. <BR>
Then ls -la /home/sites/ | grep site[thesitenumberhere] <BR> <BR>
Then change the pass for that user. <BR>
Then delete the outgoing spam files <BR> <BR>

Or, if the sender of the spam is apache, then a php script is sending the spam. <BR> In that case, check the maillog for the send times. Then crosscheck the times with the the command<BR>
cat  /var/log/httpd/access_log | grep php  | grep [thetime]<BR>
e.g.  cat  /var/log/httpd/access_log | grep php  | grep 12:40<BR>
Then move the compromised script. <BR>


";

my $msg = MIME::Lite->new
(
Subject => "Large mailq for $serverdomain",
From    => "$alertsto",
To      => $alertsto,
Cc      => "$alertsto",
Type    => 'text/html',
Data    => "$emailbody"
);

$msg->send();


}










Ken Marcus

_______________________________________________
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

Reply via email to