On 3/27/2013 7:21 AM, (NSD) Thomas Petersen wrote:
Anyone ?
*Fra:*blueonyx-boun...@mail.blueonyx.it
[mailto:blueonyx-boun...@mail.blueonyx.it] *På vegne af *Marcello Torchio
*Sendt:* 23. marts 2013 07:09
*Til:* BlueOnyx General Mailing List
*Emne:* [BlueOnyx:12606] Maximum number of RCPTs for Vhost
Good morning sirs (+1 GMT),
i've a few question about sendmail settings.
Recently i have been subject of a spam attack. A mailbox password was
stolen and a bot sends spam through my BO 5108R server.
Honestly I have not noticed the issue until the server has not been
put in some blacklists.
First question, is it possible to have a monitor tool to understand if
there is a spamming activity on the mail server?
For example a threshold number of RCPTs in outgoing messages that can
alert the administrator when exceeded, or the content of messages or i
don't know...
One of the wrong setting was that the outgoing mail were not analyzed
by AvSPAM, but only the incoming mail.
I've reduced the maximum number oc RCPTs to 5. But one of our customer
need to write up to 40 RCPTs.
Second question: Is it possible to setup Vhost dedicated maximum
number of RCPTS?
Have someone of you tips&tricks to monitor and prevent this spam
mailing and blacklisting?
Thanks
Marcello Torchio
_______________________________________________
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx
Marcelo
Here is a perl script that you could run that will tell you is the mailq
is large
#!/usr/bin/perl
##################################################################
# This script will check the mailq and email if it is over 200
#################################################################
use MIME::Lite;
$mailq = `ls /var/spool/mqueue | grep df -c`;
chomp ($mailq);
$serverdomain = "someserver.com";
$alertsto = "123456789\@txt.att.net t";
if ($mailq > 200) {
print "mailq count is $mailq";
#email me
$emailbody = "The mailq count is $mailq on the $serverdomain server.
<BR> Check for spamming issues.<BR>";
$emailbody .= "The mailq command on the server is: mailq <BR>
Generally the method I use to find the culprit is:<BR>
-Type mailq and note one of the mail id numbers, eg. oBLJkG8L005990 <BR>
That id will correspond to 2 files in the /var/lpool/mqueue/ <BR>
e.g. dfoBLJkG8L005990 and qfoBLJkG8L005990 <BR> <BR>
- Then to see if it is spam, look at the content of that file by typing
<BR>
cat /var/spool/mqueue/*oBLJkG8L005990<BR>
or<BR>
cat /var/spool/mqueue/*oBLJkG8L005990 | more <BR><BR>
- Then you can cat the maillog and grep for the IP address or email
address. <BR>
That should show you the authid that they are using so send with; e.g.
elisa <BR><BR>
- To see which site elisa belings to you can type cd ~elisa <BR>
Then ls -al and note the site number. <BR>
Then ls -la /home/sites/ | grep site[thesitenumberhere] <BR> <BR>
Then change the pass for that user. <BR>
Then delete the outgoing spam files <BR> <BR>
Or, if the sender of the spam is apache, then a php script is sending
the spam. <BR>
In that case, check the maillog for the send times. Then crosscheck the
times with the the command<BR>
cat /var/log/httpd/access_log | grep php | grep [thetime]<BR>
e.g. cat /var/log/httpd/access_log | grep php | grep 12:40<BR>
Then move the compromised script. <BR>
";
my $msg = MIME::Lite->new
(
Subject => "Large mailq for $serverdomain",
From => "$alertsto",
To => $alertsto,
Cc => "$alertsto",
Type => 'text/html',
Data => "$emailbody"
);
$msg->send();
}
Ken Marcus
_______________________________________________
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx