Feature Request

Ken A ka at pacific.net
Thu Apr 12 00:44:23 IST 2007


Jay Chandler wrote:
> Recently had a user account become compromised and start spewing spam.
> 
> Is there any functionality within MailScanner that can alert me once one 
> user sends more than a predefined number of messages in a given time 
> period?  If not, I'd dearly love to see this implemented...
> 

IF you know what relay or relays you want to watch, this might help a 
bit. We watch webserver relays on mailscanner boxes with cheap little 
shell scripts that run from cron frequently like this:

RELAY='your_relay'
cd /var/log/
for i in `tail -1000 maillog | \
grep "relay=$RELAY" | \
grep -v "STARTTLS" | \
awk '{print $6}'`; \
do grep $i maillog | \
grep "is spam\|black.uribl.com\|surbl.org"; \
done;

It mostly reports on form & forum php-spam pushing pills with links to 
uribl or surbl listed sites (milter-link). Once in a while it catches a 
false positive or an exploited script, which looks quite similar to a 
compromised account.. thousands of messages to hotmail and aol 
addresses, lots of spooled mail to delete, etc..
ymmv.

-- 
Ken Anderson
Pacific.Net


More information about the MailScanner mailing list