Feature Request
Ken A
ka at pacific.net
Thu Apr 12 00:44:23 IST 2007
Jay Chandler wrote:
> Recently had a user account become compromised and start spewing spam.
>
> Is there any functionality within MailScanner that can alert me once one
> user sends more than a predefined number of messages in a given time
> period? If not, I'd dearly love to see this implemented...
>
IF you know what relay or relays you want to watch, this might help a
bit. We watch webserver relays on mailscanner boxes with cheap little
shell scripts that run from cron frequently like this:
RELAY='your_relay'
cd /var/log/
for i in `tail -1000 maillog | \
grep "relay=$RELAY" | \
grep -v "STARTTLS" | \
awk '{print $6}'`; \
do grep $i maillog | \
grep "is spam\|black.uribl.com\|surbl.org"; \
done;
It mostly reports on form & forum php-spam pushing pills with links to
uribl or surbl listed sites (milter-link). Once in a while it catches a
false positive or an exploited script, which looks quite similar to a
compromised account.. thousands of messages to hotmail and aol
addresses, lots of spooled mail to delete, etc..
ymmv.
--
Ken Anderson
Pacific.Net
More information about the MailScanner
mailing list