<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">

<head>

<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<meta name="Generator" content="Microsoft Word 14 (filtered medium)">

<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}

o\:* {behavior:url(#default#VML);}

w\:* {behavior:url(#default#VML);}

.shape {behavior:url(#default#VML);}

</style><![endif]--><style><!--

/* Font Definitions */

@font-face

        {font-family:Calibri;

        panose-1:2 15 5 2 2 2 4 3 2 4;}

@font-face

        {font-family:Tahoma;

        panose-1:2 11 6 4 3 5 4 4 2 4;}

@font-face

        {font-family:Times;

        panose-1:2 2 6 3 5 4 5 2 3 4;}

/* Style Definitions */

p.MsoNormal, li.MsoNormal, div.MsoNormal

        {margin:0in;

        margin-bottom:.0001pt;

        font-size:12.0pt;

        font-family:"Times New Roman","serif";}

a:link, span.MsoHyperlink

        {mso-style-priority:99;

        color:blue;

        text-decoration:underline;}

a:visited, span.MsoHyperlinkFollowed

        {mso-style-priority:99;

        color:purple;

        text-decoration:underline;}

span.EmailStyle19

        {mso-style-type:personal-reply;

        font-family:"Calibri","sans-serif";

        color:#1F497D;}

.MsoChpDefault

        {mso-style-type:export-only;

        font-family:"Calibri","sans-serif";}

@page WordSection1

        {size:8.5in 11.0in;

        margin:1.0in 1.0in 1.0in 1.0in;}

div.WordSection1

        {page:WordSection1;}

--></style><!--[if gte mso 9]><xml>

<o:shapedefaults v:ext="edit" spidmax="1026" />

</xml><![endif]--><!--[if gte mso 9]><xml>

<o:shapelayout v:ext="edit">

<o:idmap v:ext="edit" data="1" />

</o:shapelayout></xml><![endif]-->

</head>

<body lang="EN-US" link="blue" vlink="purple">

<div class="WordSection1">

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">I have a script in crontab to check smtp log information from zeek.every so often.  You’ll need to make the script executable with chmod a+rx /nsm/zeek/smtp-toomany.sh<o:p></o:p></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Crontab entry:<o:p></o:p></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">*/10 * * * * /nsm/zeek/smtp-toomany.sh<o:p></o:p></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Script: /nsm/zeek/spool/zeek/smtp-toomany.sh<o:p></o:p></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Courier New";color:#1F497D"># Alert for more than 9 of anything of the same type<o:p></o:p></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Courier New";color:#1F497D"># Alert for more than 750 messages in the past hour

<o:p></o:p></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Courier New";color:#1F497D"><o:p> </o:p></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Courier New";color:#1F497D"><o:p> </o:p></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Courier New";color:#1F497D">#!/bin/bash<o:p></o:p></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Courier New";color:#1F497D">touch /nsm/zeek/spool/zeek/smtp-toomany-mailfrom.txt<o:p></o:p></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Courier New";color:#1F497D"><o:p> </o:p></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Courier New";color:#1F497D">cat /nsm/zeek/spool/zeek/smtp.log | jq . | grep -E "from|subject|received|reply_to" | sort | uniq -c | sort -nr | awk ' $1 > 9' > /nsm/zeek/spool/zeek/smtp-toomany-mailfrom.txt<o:p></o:p></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Courier New";color:#1F497D"><o:p> </o:p></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Courier New";color:#1F497D">if (($(/usr/bin/wc -l < /nsm/zeek/spool/zeek/smtp-toomany-mailfrom.txt) > 0))<o:p></o:p></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Courier New";color:#1F497D">then<o:p></o:p></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Courier New";color:#1F497D">  mail -s "ALERT: [SMTP] More than 9 messages from the same from|subject|received|reply_to in the last hour" your@email.com < /nsm/zeek/spool/zeek/smtp-toomany-mailfrom.txt<o:p></o:p></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Courier New";color:#1F497D">fi<o:p></o:p></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Courier New";color:#1F497D"><o:p> </o:p></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Courier New";color:#1F497D"><o:p> </o:p></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Courier New";color:#1F497D">if (( $(/usr/bin/wc -l < /nsm/zeek/spool/zeek/smtp.log) > 750))<o:p></o:p></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Courier New";color:#1F497D">then<o:p></o:p></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Courier New";color:#1F497D">    echo "ALERT: More than 750 messages in the last hour (check made every 17min)" >/nsm/zeek/spool/zeek/smtp-toomany.txt<o:p></o:p></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Courier New";color:#1F497D">    cat /nsm/zeek/spool/zeek/smtp.log | jq .mailfrom | grep -v -E 'null' | sort | uniq -c  | sort -nr >>/nsm/zeek/spool/zeek/smtp-toomany.txt<o:p></o:p></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Courier New";color:#1F497D">    echo `/usr/bin/wc -l < /nsm/zeek/spool/zeek/smtp.log` "total messages"  >>/nsm/zeek/spool/zeek/smtp-toomany.txt<o:p></o:p></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Courier New";color:#1F497D">    echo "Source: mymachine@/nsm/zeek/spool/zeek/smtp.log" >>/nsm/zeek/spool/zeek/smtp-toomany.txt<o:p></o:p></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Courier New";color:#1F497D">    mail -s "ALERT: [SMTP] More than 750 messages in the last hour (check made every 17min)" your@email.com < /nsm/zeek/spool/zeek/smtp-toomany.txt<o:p></o:p></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Courier New";color:#1F497D">  else<o:p></o:p></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Courier New";color:#1F497D">    echo "Less than 750 messages in the last hour (check made every 17min)" >/nsm/zeek/spool/zeek/smtp-toomany.txt<o:p></o:p></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Courier New";color:#1F497D">    cat /nsm/zeek/spool/zeek/smtp.log | jq .mailfrom | grep -v -E 'null' | sort | uniq -c  | sort -nr >>/nsm/zeek/spool/zeek/smtp-toomany.txt<o:p></o:p></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Courier New";color:#1F497D">    echo `/usr/bin/wc -l < /nsm/zeek/spool/zeek/smtp.log` "total messages"  >>/nsm/zeek/spool/zeek/smtp-toomany.txt<o:p></o:p></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Courier New";color:#1F497D">    echo "Source: mymachine@/nsm/zeek/spool/zeek/smtp.log" >>/nsm/zeek/spool/zeek/smtp-toomany.txt<o:p></o:p></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Courier New";color:#1F497D">fi<o:p></o:p></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>

<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> MailScanner [mailto:mailscanner-bounces+rforeman=lsfiore.com@lists.mailscanner.info]

<b>On Behalf Of </b>Alex Neuman<br>

<b>Sent:</b> Wednesday, August 11, 2021 2:31 PM<br>

<b>To:</b> MailScanner Discussion<br>

<b>Subject:</b> Re: MailScanner to detect same sender with multiple incoming email<o:p></o:p></span></p>

<p class="MsoNormal"><o:p> </o:p></p>

<div>

<div>

<p class="MsoNormal">Probably not. You may have to implement a rule using milter-sender or similar tools.<br clear="all">

<o:p></o:p></p>

<div>

<div>

<div>

<div>

<div>

<div>

<div>

<div>

<div>

<div>

<div>

<table class="MsoNormalTable" border="0" cellpadding="0">

<tbody>

<tr>

<td style="padding:0in 0in 0in 0in">

<table class="MsoNormalTable" border="0" cellpadding="0">

<tbody>

<tr>

<td style="padding:.75pt .75pt .75pt .75pt">

<div style="margin-left:6.0pt;margin-top:6.0pt;margin-right:6.0pt;margin-bottom:3.0pt;max-width:470px">

<table class="MsoNormalTable" border="0" cellpadding="0" width="470" style="width:352.5pt">

<tbody>

<tr>

<td width="10" nowrap="" valign="top" style="width:7.5pt;padding:.75pt .75pt .75pt .75pt">

<p class="MsoNormal"><span style="font-family:"Tahoma","sans-serif";border:solid windowtext 1.0pt;padding:0in"><img width="113" height="113" id="_x0000_i1025" src="cid:image001.jpg@01D78EC0.08920010" alt="Image removed by sender. logo"></span><span style="font-family:"Tahoma","sans-serif"">   <o:p></o:p></span></p>

</td>

<td valign="top" style="padding:.75pt .75pt .75pt .75pt;text-align:initial">

<p class="MsoNormal"><strong><span style="font-size:10.5pt;font-family:"Tahoma","sans-serif";color:#00A1E6">Alex Neuman van der Hans</span></strong><span style="font-size:10.5pt;font-family:"Tahoma","sans-serif";color:gray"> </span><em><span style="font-size:10.5pt;font-family:"Tahoma","sans-serif";color:#888888">Producer/Host,

 Vida Digital</span></em><span style="font-family:"Tahoma","sans-serif""><br>

</span><span style="font-size:10.5pt;font-family:"Tahoma","sans-serif";color:gray"><a href="tel:+1+(440)+253-9789" target="_blank"><span style="color:gray">+1 (440) 253-9789</span></a> </span><span style="font-size:10.5pt;font-family:"Tahoma","sans-serif";color:#00A1E6">| </span><span style="font-size:10.5pt;font-family:"Tahoma","sans-serif";color:gray"><a href="tel:+507+6781-9505" target="_blank"><span style="color:gray">+507

 6781-9505</span></a> </span><span style="font-size:10.5pt;font-family:"Tahoma","sans-serif";color:#00A1E6">| </span><span style="font-size:10.5pt;font-family:"Tahoma","sans-serif";color:gray">Panama </span><span style="font-size:10.5pt;font-family:"Tahoma","sans-serif";color:#00A1E6">|</span><span style="font-size:10.5pt;font-family:"Tahoma","sans-serif""><a href="mailto:alex@vidadigital.com.pa" target="_blank"><span style="color:gray">alex@vidadigital.com.pa</span></a> <span style="color:#00A1E6">| </span><a href="https://mailtrack.io/trace/link/6d93d0f9fd85f8182408c621adbea1714eabe93c?url=http%3A%2F%2Fvidadigital.com.pa%2F&userId=2636895&signature=4a9377a1fcef9ef7" target="_blank"><span style="color:gray">vidadigital.com.pa/</span></a> <span style="color:#00A1E6"><br>

</span><span style="color:gray">Skype:<a href="https://mailtrack.io/trace/link/e695afa85ee0c4170aac2e55b7906da3acaf0326?url=https%3A%2F%2Fwebapp.wisestamp.com%2Fsig_iframe%3Forigin%3Dmac-mail%26signature_id%3D5234486814965760%26t%3D0.5662234535507977%23&userId=2636895&signature=a20e7f314b8f7c6f" target="_blank"><span style="color:gray">alexneuman</span></a></span> <span style="color:#00A1E6">| </span><span style="color:gray"><a href="https://mailtrack.io/trace/link/83955116e94c4c95be4f79f1456fd7e1322421a8?url=http%3A%2F%2Fwiseintro.co%2Falexneuman&userId=2636895&signature=0cee64d378bc22da" target="_blank">wiseintro.co/alexneuman</a> </span></span><span style="font-family:"Tahoma","sans-serif""><o:p></o:p></span></p>

<div style="margin-top:3.75pt">

<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0">

<tbody>

<tr>

<td style="padding:0in 3.75pt 0in 0in">

<p class="MsoNormal" align="center" style="text-align:center"><a href="https://mailtrack.io/trace/link/43d5bdcc5baeaf6334c673c3f26602ada23fc41a?url=http%3A%2F%2Ffacebook.com%2Fvidadigital&userId=2636895&signature=f8bdf43ced6e23ab" target="_blank"><span style="border:solid windowtext 1.0pt;padding:0in;text-decoration:none"><img border="0" width="100" height="100" id="_x0000_i1026" src="cid:~WRD000.jpg" alt="Image removed by sender."></span></a><o:p></o:p></p>

</td>

<td style="padding:0in 3.75pt 0in 0in">

<p class="MsoNormal" align="center" style="text-align:center"><a href="https://mailtrack.io/trace/link/99181635a1ea098db6a51eafda53e4beab94e4ee?url=http%3A%2F%2Fpa.linkedin.com%2Fin%2Falexneuman&userId=2636895&signature=992a8674f1478d5e" target="_blank"><span style="border:solid windowtext 1.0pt;padding:0in;text-decoration:none"><img border="0" width="100" height="100" id="_x0000_i1027" src="cid:~WRD000.jpg" alt="Image removed by sender."></span></a><o:p></o:p></p>

</td>

<td style="padding:0in 3.75pt 0in 0in">

<p class="MsoNormal" align="center" style="text-align:center"><a href="https://mailtrack.io/trace/link/a4d583331434cea491f481bae9a8c8010c913b6b?url=http%3A%2F%2Ftwitter.com%2Falexneuman&userId=2636895&signature=c8daab5f62d07b04" target="_blank"><span style="border:solid windowtext 1.0pt;padding:0in;text-decoration:none"><img border="0" width="100" height="100" id="_x0000_i1028" src="cid:~WRD000.jpg" alt="Image removed by sender."></span></a><o:p></o:p></p>

</td>

<td style="padding:0in 3.75pt 0in 0in">

<p class="MsoNormal" align="center" style="text-align:center"><a href="https://mailtrack.io/trace/link/bf770a2847f67ac835ea05dec59f7014f1f6cddc?url=http%3A%2F%2Fpinterest.com%2Fvidadigital&userId=2636895&signature=4a2a52b675e5362b" target="_blank"><span style="border:solid windowtext 1.0pt;padding:0in;text-decoration:none"><img border="0" width="100" height="100" id="_x0000_i1029" src="cid:~WRD000.jpg" alt="Image removed by sender."></span></a><o:p></o:p></p>

</td>

<td style="padding:0in 3.75pt 0in 0in">

<p class="MsoNormal" align="center" style="text-align:center"><a href="https://mailtrack.io/trace/link/dc8ff75aea9f31aaf2178ba051c94af58e13ed70?url=http%3A%2F%2Fyoutube.com%2Fvidadigital%3Fsub_confirmation%3D1&userId=2636895&signature=0e2660fe79cbdaa6" target="_blank"><span style="border:solid windowtext 1.0pt;padding:0in;text-decoration:none"><img border="0" width="100" height="100" id="_x0000_i1030" src="cid:~WRD000.jpg" alt="Image removed by sender."></span></a><o:p></o:p></p>

</td>

<td style="padding:0in 3.75pt 0in 0in">

<p class="MsoNormal" align="center" style="text-align:center"><a href="https://mailtrack.io/trace/link/725b75029c5a8ab2e69d5680dbb6624955faf26e?url=http%3A%2F%2Finstagram.com%2Fvidadigital&userId=2636895&signature=8bf52022c418e35d" target="_blank"><span style="border:solid windowtext 1.0pt;padding:0in;text-decoration:none"><img border="0" width="100" height="100" id="_x0000_i1031" src="cid:~WRD000.jpg" alt="Image removed by sender."></span></a><o:p></o:p></p>

</td>

<td style="padding:0in 3.75pt 0in 0in">

<p class="MsoNormal" align="center" style="text-align:center"><a href="https://mailtrack.io/trace/link/eaf848801d570153847072f8ca1a1392a300c5a0?url=http%3A%2F%2Famazon.com%2F%3Ftag%3Dvidadigi-20&userId=2636895&signature=8a014408afc45312" target="_blank"><span style="border:solid windowtext 1.0pt;padding:0in;text-decoration:none"><img border="0" width="100" height="100" id="_x0000_i1032" src="cid:~WRD000.jpg" alt="Image removed by sender."></span></a><o:p></o:p></p>

</td>

<td style="padding:0in 3.75pt 0in 0in">

<p class="MsoNormal" align="center" style="text-align:center"><a href="https://mailtrack.io/trace/link/87b67ca033052bce4c4ece3040d988f655693e96?url=http%3A%2F%2Fskype%3Aalexneuman%2F%3Fcall%26topic%3DSignature&userId=2636895&signature=cf13a5b2dff2b0b6" target="_blank"><span style="border:solid windowtext 1.0pt;padding:0in;text-decoration:none"><img border="0" width="32" height="32" id="_x0000_i1033" src="cid:image002.jpg@01D78EC0.08920010" alt="Image removed by sender."></span></a><o:p></o:p></p>

</td>

<td style="padding:0in 3.75pt 0in 0in">

<p class="MsoNormal" align="center" style="text-align:center"><a href="https://mailtrack.io/trace/link/ac7e8bf03485b901b82cc5d9a947f059e78199b5?url=http%3A%2F%2Fapi.whatsapp.com%2Fsend%3Fphone%3D50767819505&userId=2636895&signature=0403175a9024ec89" target="_blank"><span style="border:solid windowtext 1.0pt;padding:0in;text-decoration:none"><img border="0" width="32" height="32" id="_x0000_i1034" src="cid:image002.jpg@01D78EC0.08920010" alt="Image removed by sender."></span></a><o:p></o:p></p>

</td>

<td style="padding:0in 3.75pt 0in 0in">

<p class="MsoNormal" align="center" style="text-align:center"><a href="https://mailtrack.io/trace/link/bf015edc1534fb81e466e31ce423c7eadfd53536?url=http%3A%2F%2Fwiseintro.co%2Falexneuman&userId=2636895&signature=cf3ee7ca0fab1229" target="_blank"><span style="border:solid windowtext 1.0pt;padding:0in;text-decoration:none"><img border="0" width="100" height="100" id="_x0000_i1035" src="cid:~WRD000.jpg" alt="Image removed by sender."></span></a><o:p></o:p></p>

</td>

</tr>

</tbody>

</table>

</div>

</td>

</tr>

</tbody>

</table>

</div>

</td>

</tr>

</tbody>

</table>

</td>

</tr>

</tbody>

</table>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

<p class="MsoNormal"><o:p> </o:p></p>

</div>

<p class="MsoNormal"><br>

<span style="border:solid windowtext 1.0pt;padding:0in"><img border="0" width="100" height="100" id="_x0000_i1036" src="cid:~WRD000.jpg" alt="Image removed by sender."></span><o:p></o:p></p>

<div>

<div>

<p class="MsoNormal">On Wed, Aug 11, 2021 at 12:29 PM Muhammad Hazwan Bin Abdul Rahman <<a href="mailto:mhdhazwan@sains.com.my">mhdhazwan@sains.com.my</a>> wrote:<o:p></o:p></p>

</div>

<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">

<p class="MsoNormal" style="margin-bottom:12.0pt">I have a mail server that configured with mailscanner and spamaassassin.

<br>

Lately, I have received a kind of bot attack of email which the sender <br>

send an email to multiple recipient( >100) in a short time.<br>

<br>

One of my rule in spamassassin is to detect any sender in which is <br>

sending to more then 20 person as high scoring spam value.<br>

However, since the attack is a private 1 to 1 mail but many recipient <br>

(im assuming the attacker using some kind of script), my rule cant hit <br>

that behavior.<br>

<br>

Im asking is there any other way in trying to catch this style of attack <br>

using mailscanner and spamassassin?<br>

<br>

Using Centos 7 as my OS.<br>

<br>

Thanks<br>

<br>

-- <br>

Regards,<br>

Hazwan<br>

<br>

<br>

<br>

-- <br>

MailScanner mailing list<br>

<a href="mailto:mailscanner@lists.mailscanner.info" target="_blank">mailscanner@lists.mailscanner.info</a><br>

<a href="https://mailtrack.io/trace/link/7da342fe5e9daeeddced71149651fc4e4b5baa8f?url=http%3A%2F%2Flists.mailscanner.info%2Fmailman%2Flistinfo%2Fmailscanner&userId=2636895&signature=b9d4ffab8ed1efb1" target="_blank">http://lists.mailscanner.info/mailman/listinfo/mailscanner</a><o:p></o:p></p>

</blockquote>

</div>

</div>

</div>

CONFIDENTIAL – This message and any attachments are confidential, and intended only for the individual or entity named above. If you are not the intended recipient, please do not read, copy, use or disclose this communication to others; also please notify the

 sender by replying to this message, and then delete it from your system. Thank you.

</body>

</html>