Notify Admin of User Sending High Volume of Mail

Gareth list-mailscanner at linguaphone.com
Tue Sep 23 12:10:11 IST 2008


Have a look at the tool I wrote to block persistant spammers
automatically :-
http://www.gbnetwork.co.uk/mailscanner/mailwatch2rbl/index.html

You dont have to use it to actually block senders but it will create a
database of the senders of messages for the last 23 hours which you can
use as a starting point.

You could also use the mw2rbltool program and get it to show you the top
25 spammers and run it through grep against your internal IP address
range and get the output mailed to you if there are any entries.
Example output of the top25 spammers is :-
[root at mailscanner ~]# mw2rbltool show top spam
IP 218.58.88.27 (China), 5 messages, 0 hams, 5 spams
IP 202.37.168.211 (New Zealand), 5 messages, 0 hams, 5 spams
IP 217.27.244.142 (United Kingdom), 4 messages, 0 hams, 4 spams
IP 209.222.78.12 (United States), 4 messages, 0 hams, 4 spams
IP 208.111.178.160 (United States), 4 messages, 0 hams, 4 spams
IP 195.137.222.184 (Turkey), 3 messages, 0 hams, 3 spams
IP 125.134.217.84 (Korea, Republic of), 3 messages, 0 hams, 3 spams
IP 80.12.242.47 (France), 2 messages, 0 hams, 2 spams
IP 70.250.239.19 (United States), 2 messages, 0 hams, 2 spams
IP 92.39.130.44 (Russian Federation), 2 messages, 0 hams, 2 spams
IP 128.186.138.188 (United States), 2 messages, 0 hams, 2 spams
IP 216.10.72.209 (United States), 2 messages, 0 hams, 2 spams
IP 82.33.206.166 (United Kingdom), 2 messages, 0 hams, 2 spams
IP 220.168.183.117 (China), 2 messages, 0 hams, 2 spams
IP 64.192.201.251 (United States), 2 messages, 0 hams, 2 spams
IP 204.116.138.72 (United States), 2 messages, 0 hams, 2 spams
IP 134.17.243.64 (United States), 2 messages, 0 hams, 2 spams
IP 134.17.127.241 (United States), 2 messages, 0 hams, 2 spams
IP 208.111.178.251 (United States), 2 messages, 0 hams, 2 spams
IP 58.252.215.194 (China), 2 messages, 0 hams, 2 spams
IP 85.170.224.228 (France), 2 messages, 0 hams, 2 spams
IP 88.255.132.11 (Turkey), 2 messages, 0 hams, 2 spams
IP 89.46.60.21 (Romania), 2 messages, 0 hams, 2 spams
IP 85.113.158.249 (Russian Federation), 2 messages, 0 hams, 2 spams
IP 67.227.65.48 (United States), 2 messages, 0 hams, 2 spams



On Mon, 2008-09-22 at 22:32, Josh Kidd wrote:
> Don’t know if anyone else has attempted to do something like this
> before or not, I gave a scan to Google and the lists and didn’t see
> anything. I have MailScanner setup on a FreeBSD7 machine running
> Postfix+MailScanner(SA,ClamAV)+Mailwatch. We are wanting to find a way
> that if a user’s computer is infected and starts sending out a large
> number of emails in a short time frame (ie: 20,30,50 messages in 2-5
> minutes). 
> 
>  
> 
> I assume this would have to be a custom ruleset but being new to
> MailScanner I don’t know exactly how I would go about creating this
> rule. Has anyone done something like this or know’s how to? I want
> MailScanner or Mailwatch to email me if a user’s outbound mail volume
> exceeds our pre-defined limits so I can shutdown whatever is sending
> out the large volume of mail to prevent our domain from being
> blacklisted.
> 
>  
> 
> Thanks in Advance,
> 
> JK
> 
>  
> 
> 
> 
> ______________________________________________________________________
> -- 
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
> 
> Before posting, read http://wiki.mailscanner.info/posting
> 
> Support MailScanner development - buy the book off the website! 



More information about the MailScanner mailing list