MailScanner to detect same sender with multiple incoming email

Robert Foreman rforeman at lsfiore.com
Wed Aug 11 18:49:07 UTC 2021 

I have a script in crontab to check smtp log information from zeek.every so often.  You’ll need to make the script executable with chmod a+rx /nsm/zeek/smtp-toomany.sh

Crontab entry:
*/10 * * * * /nsm/zeek/smtp-toomany.sh

Script: /nsm/zeek/spool/zeek/smtp-toomany.sh

# Alert for more than 9 of anything of the same type
# Alert for more than 750 messages in the past hour


#!/bin/bash
touch /nsm/zeek/spool/zeek/smtp-toomany-mailfrom.txt

cat /nsm/zeek/spool/zeek/smtp.log | jq . | grep -E "from|subject|received|reply_to" | sort | uniq -c | sort -nr | awk ' $1 > 9' > /nsm/zeek/spool/zeek/smtp-toomany-mailfrom.txt

if (($(/usr/bin/wc -l < /nsm/zeek/spool/zeek/smtp-toomany-mailfrom.txt) > 0))
then
  mail -s "ALERT: [SMTP] More than 9 messages from the same from|subject|received|reply_to in the last hour" your at email.com < /nsm/zeek/spool/zeek/smtp-toomany-mailfrom.txt
fi


if (( $(/usr/bin/wc -l < /nsm/zeek/spool/zeek/smtp.log) > 750))
then
    echo "ALERT: More than 750 messages in the last hour (check made every 17min)" >/nsm/zeek/spool/zeek/smtp-toomany.txt
    cat /nsm/zeek/spool/zeek/smtp.log | jq .mailfrom | grep -v -E 'null' | sort | uniq -c  | sort -nr >>/nsm/zeek/spool/zeek/smtp-toomany.txt
    echo `/usr/bin/wc -l < /nsm/zeek/spool/zeek/smtp.log` "total messages"  >>/nsm/zeek/spool/zeek/smtp-toomany.txt
    echo "Source: mymachine@/nsm/zeek/spool/zeek/smtp.log" >>/nsm/zeek/spool/zeek/smtp-toomany.txt
    mail -s "ALERT: [SMTP] More than 750 messages in the last hour (check made every 17min)" your at email.com < /nsm/zeek/spool/zeek/smtp-toomany.txt
  else
    echo "Less than 750 messages in the last hour (check made every 17min)" >/nsm/zeek/spool/zeek/smtp-toomany.txt
    cat /nsm/zeek/spool/zeek/smtp.log | jq .mailfrom | grep -v -E 'null' | sort | uniq -c  | sort -nr >>/nsm/zeek/spool/zeek/smtp-toomany.txt
    echo `/usr/bin/wc -l < /nsm/zeek/spool/zeek/smtp.log` "total messages"  >>/nsm/zeek/spool/zeek/smtp-toomany.txt
    echo "Source: mymachine@/nsm/zeek/spool/zeek/smtp.log" >>/nsm/zeek/spool/zeek/smtp-toomany.txt
fi


From: MailScanner [mailto:mailscanner-bounces+rforeman=lsfiore.com at lists.mailscanner.info] On Behalf Of Alex Neuman
Sent: Wednesday, August 11, 2021 2:31 PM
To: MailScanner Discussion
Subject: Re: MailScanner to detect same sender with multiple incoming email

Probably not. You may have to implement a rule using milter-sender or similar tools.
[Image removed by sender. logo]

Alex Neuman van der Hans Producer/Host, Vida Digital
+1 (440) 253-9789<tel:+1+(440)+253-9789> | +507 6781-9505<tel:+507+6781-9505> | Panama |alex at vidadigital.com.pa<mailto:alex at vidadigital.com.pa> | vidadigital.com.pa/<https://mailtrack.io/trace/link/6d93d0f9fd85f8182408c621adbea1714eabe93c?url=http%3A%2F%2Fvidadigital.com.pa%2F&userId=2636895&signature=4a9377a1fcef9ef7>
Skype:alexneuman<https://mailtrack.io/trace/link/e695afa85ee0c4170aac2e55b7906da3acaf0326?url=https%3A%2F%2Fwebapp.wisestamp.com%2Fsig_iframe%3Forigin%3Dmac-mail%26signature_id%3D5234486814965760%26t%3D0.5662234535507977%23&userId=2636895&signature=a20e7f314b8f7c6f> | wiseintro.co/alexneuman<https://mailtrack.io/trace/link/83955116e94c4c95be4f79f1456fd7e1322421a8?url=http%3A%2F%2Fwiseintro.co%2Falexneuman&userId=2636895&signature=0cee64d378bc22da>
[Image removed by sender.]<https://mailtrack.io/trace/link/43d5bdcc5baeaf6334c673c3f26602ada23fc41a?url=http%3A%2F%2Ffacebook.com%2Fvidadigital&userId=2636895&signature=f8bdf43ced6e23ab>

[Image removed by sender.]<https://mailtrack.io/trace/link/99181635a1ea098db6a51eafda53e4beab94e4ee?url=http%3A%2F%2Fpa.linkedin.com%2Fin%2Falexneuman&userId=2636895&signature=992a8674f1478d5e>

[Image removed by sender.]<https://mailtrack.io/trace/link/a4d583331434cea491f481bae9a8c8010c913b6b?url=http%3A%2F%2Ftwitter.com%2Falexneuman&userId=2636895&signature=c8daab5f62d07b04>

[Image removed by sender.]<https://mailtrack.io/trace/link/bf770a2847f67ac835ea05dec59f7014f1f6cddc?url=http%3A%2F%2Fpinterest.com%2Fvidadigital&userId=2636895&signature=4a2a52b675e5362b>

[Image removed by sender.]<https://mailtrack.io/trace/link/dc8ff75aea9f31aaf2178ba051c94af58e13ed70?url=http%3A%2F%2Fyoutube.com%2Fvidadigital%3Fsub_confirmation%3D1&userId=2636895&signature=0e2660fe79cbdaa6>

[Image removed by sender.]<https://mailtrack.io/trace/link/725b75029c5a8ab2e69d5680dbb6624955faf26e?url=http%3A%2F%2Finstagram.com%2Fvidadigital&userId=2636895&signature=8bf52022c418e35d>

[Image removed by sender.]<https://mailtrack.io/trace/link/eaf848801d570153847072f8ca1a1392a300c5a0?url=http%3A%2F%2Famazon.com%2F%3Ftag%3Dvidadigi-20&userId=2636895&signature=8a014408afc45312>

[Image removed by sender.]<https://mailtrack.io/trace/link/87b67ca033052bce4c4ece3040d988f655693e96?url=http%3A%2F%2Fskype%3Aalexneuman%2F%3Fcall%26topic%3DSignature&userId=2636895&signature=cf13a5b2dff2b0b6>

[Image removed by sender.]<https://mailtrack.io/trace/link/ac7e8bf03485b901b82cc5d9a947f059e78199b5?url=http%3A%2F%2Fapi.whatsapp.com%2Fsend%3Fphone%3D50767819505&userId=2636895&signature=0403175a9024ec89>

[Image removed by sender.]<https://mailtrack.io/trace/link/bf015edc1534fb81e466e31ce423c7eadfd53536?url=http%3A%2F%2Fwiseintro.co%2Falexneuman&userId=2636895&signature=cf3ee7ca0fab1229>






[Image removed by sender.]
On Wed, Aug 11, 2021 at 12:29 PM Muhammad Hazwan Bin Abdul Rahman <mhdhazwan at sains.com.my<mailto:mhdhazwan at sains.com.my>> wrote:
I have a mail server that configured with mailscanner and spamaassassin.
Lately, I have received a kind of bot attack of email which the sender
send an email to multiple recipient( >100) in a short time.

One of my rule in spamassassin is to detect any sender in which is
sending to more then 20 person as high scoring spam value.
However, since the attack is a private 1 to 1 mail but many recipient
(im assuming the attacker using some kind of script), my rule cant hit
that behavior.

Im asking is there any other way in trying to catch this style of attack
using mailscanner and spamassassin?

Using Centos 7 as my OS.

Thanks

--
Regards,
Hazwan



--
MailScanner mailing list
mailscanner at lists.mailscanner.info<mailto:mailscanner at lists.mailscanner.info>
http://lists.mailscanner.info/mailman/listinfo/mailscanner<https://mailtrack.io/trace/link/7da342fe5e9daeeddced71149651fc4e4b5baa8f?url=http%3A%2F%2Flists.mailscanner.info%2Fmailman%2Flistinfo%2Fmailscanner&userId=2636895&signature=b9d4ffab8ed1efb1>
CONFIDENTIAL – This message and any attachments are confidential, and intended only for the individual or entity named above. If you are not the intended recipient, please do not read, copy, use or disclose this communication to others; also please notify the sender by replying to this message, and then delete it from your system. Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20210811/a2b24457/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ~WRD000.jpg
Type: image/jpeg
Size: 823 bytes
Desc: ~WRD000.jpg
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20210811/a2b24457/attachment.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 500 bytes
Desc: image001.jpg
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20210811/a2b24457/attachment-0001.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.jpg
Type: image/jpeg
Size: 344 bytes
Desc: image002.jpg
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20210811/a2b24457/attachment-0002.jpg>

More information about the MailScanner mailing list