More SPAM?
Denis Beauchemin
Denis.Beauchemin at USHERBROOKE.CA
Mon Nov 10 19:47:52 GMT 2003
Remco,
It looks at the last 5000 lines in your log file to compute the
percentage of emails received from one single source.
Here it has yet never kicked in for false positives.
My three MS servers processed between 60K and 70K messages each in the
last weekend.
Denis
Le lun 10/11/2003 à 03:03, Remco Barendse a écrit :
> Interesting script, might be a useful addition to the mail system.
>
> Just wonder what would happen on Sunday night, when noone is sending out
> e-mails but Daily Dilbert starts sending their mail (or any other mailing
> list). With extremely low mail volumes and a mailing to several people
> coming in, wouldn't this set off a false alarm?
>
> We really have no (almost none) mail coming in over the weekend, only
> mass mailings.
>
> On Fri, 7 Nov 2003, mikea wrote:
>
> > On Fri, Nov 07, 2003 at 10:06:57AM -0500, Denis Beauchemin wrote:
> > > Hi,
> >
> > > We've had those compromised Windows also and it really put a high load
> > > (and big backlog) on our MS servers.
> >
> > > I wrote a Perl script that watches my maillog every 5 minutes (root's
> > > crontab) and if there are more than 80% of incoming mail from one IP
> > > address it blocks it in ipchains/iptables, stops MS and sendmail,
> > > removes all undelivered mail containing that IP address from the spool
> > > directories, restarts MS (and sendmail) and sends an email to our
> > > security group about it.
> >
> > > It works fine on our RH 7.3 and 9 systems.
> >
> > > If anyone is interested, I can post it.
> >
> > Yes, please. Or perhaps someone is willing to host it on a website?
> >
> > --
> > Mike Andrews
> > mikea at mikea.ath.cx
> > Tired old sysadmin
> >
--
Denis Beauchemin, analyste
Université de Sherbrooke, S.T.I.
T: 819.821.8000x2252 F: 819.821.8045
More information about the MailScanner
mailing list