Skip to main content

Finding spammers and dealing with floods of excess mail



Finding Spammers and Dealing With Floods In Exim


 Finding Spammers and Dealing with Floods 


[Picture 6. pic/mta-ube.png]

One of the handiest command I use for administering our exim mail servers is the following:

smtp3:~# exim -bp | exiqsumm
Count  Volume  Oldest  Newest  Domain
—–  ——  ——  ——  ——
1    3072      5h      5h  domainName1.com
1    3174     77m     77m  domainName2.com
1    7577     74m     74m  domainName3.com
52    5120      8h      8h  domainName3.com

This gives me a nice breakdown of who my top talkers are and the total volume sent to each domain etc.

Let’s say I suspect a mail attack and have a rogue spammer on my network. One of the easiest way to see this is by simply tailing out the exim mainlog as follows and looking for repeat entries of the same type:

serverName:~# tail -f /var/log/exim_mainlog
2011-01-06 10:49:01 1PanOe-000ME1-Nn => username@domainName.com  R=lookuphost T=remote_smtp H=gmail-smtp-in.l.google.com [209.85.229.27] X=TLSv1:RC4-MD5:128
2011-01-06 10:49:01 1PanOe-000ME1-Nn Completed
2011-01-06 10:49:05 H=hostname.domainName.com (hostname.domainname.com) [62.XXX.XXX.XXX] Warning: HELO VERIFY hostname.domainName.com hostname.domainName.com
2011-01-06 10:49:10 no host name found for IP address 87.XXX.XXX.XXX
2011-01-06 10:49:10 H=([192.168.1.101]) [87.192.64.67] Warning: HELO VERIFY [192.168.1.101]
2011-01-06 10:49:11 1PanP5-000MEI-2e <= username@sampleDomain.com H=([192.168.1.101]) [87.192.64.67] P=esmtp S=706 id=C94B4EC7.3AC3%username@sampleDomain.com

Let’s say I see a huge amount of mail all showing with a specific recipient and wish to find the message id’s for this.

I can then run the following command:

serverName:~# exipick -i ‘$recipients eq username@sampleDomain.com’ | wc -l
295

Now. If I wish to remove all this Spam mail from my server,
I simply pipe this to xargs and exim -Mrm and this will then remove all mail for this user:

serverName:~# exipick -i ‘$recipients eq username@sampleDomain.com’ | xargs exim -Mrm
Likewise, if I identify an IP address, which I believe to be the spammer, I can then find all messages from this IP as follows:

serverName:~# exipick -i ‘$sender_host_address eq XXX.XXX.XXX.XXX’ | wc -l
58

Again, to remove all of these mails, I simply do the following :

serverName:~# exipick -i ‘$sender_host_address eq XXX.XXX.XXX.XXX’ | xargs exim -Mrm

One or two other things you may find useful. To see the mail headers of a specific mail, try the following:

smtp4:~# exim -Mvh 1PemWa-00005A-Pb
1PemWa-00005A-Pb-H
mailnull 26 6

1295260884 0
-helo_name hostname.com
-host_address XXX.XXX.XXX.XXX.22535
-interface_address XXX.XXX.XXX.XXX.25
-received_protocol esmtp
-body_linecount 58
-host_lookup_failed
XX
1
username@hostname.com
240P Received: from [XXX.XXX.XXX.XXX] (helo=hostname.com)
by smtpserver.domainName.com with esmtp (Exim 4.67 (FreeBSD))
(envelope-from )

  OR

To see the entire body of this same message, just try :

smtp4:~# exim -Mvb 1PemWa-00005A-Pb
1PemWa-00005A-Pb-D


And that’s about it for now. There are many clever ways to monitor your mail queues and ensure Spam is kept to a minimum. The above should give you a good start though.
Another good way to keep track of things is to run eximstate on all Exim-based mail servers. This is a handy rrd based graphing tool to keep track of your mail queues, and you can use this to post process the results etc.





FEED






Share









SUPPORT















VISIT COUNTER !!




ROHIT PATEL
 


Labels:
Location: Southern Asia

Comments

Post a Comment

Popular posts from this blog

Defacing Sites via HTML Injections (XSS)

Defacing Sites via HTML Injections Defacing Sites via HTML Injections What Is HTML Injection: "HTML Injection" is called as the Virtual Defacement Technique and also known as the "XSS" Cross Site Scripting. It is a very common vulnerability found when searched for most of the domains. This kind of a Vulnerability allows an "Attacker" to Inject some code into the applications affected in order to bypass access to the "Website" or to Infect any particular Page in that "Website". HTML injections = Cross Site Scripting, It is a Security Vulnerability in most of the sites, that allows an Attacker to Inject HTML Code into the Web Pages that are viewed by other users. XSS Attacks are essentially code injection attacks into the various interpreters in the browser. These attacks can be carried out using HTML, JavaScript, VBScript, ActiveX, Flash and other clinet side Languages. Well crafted Malicious Code can even hep the ...
Post a Comment
Read more

EKS Cluster and Create CSI Driver to store credentials in AWS Secrets Manager via SecretProviderClass

EKS Cluster | CSI Driver | SecretProviderClass | AWS Secrets Manager Setup EKS Cluster and Manage Credentials at runtime using CSI driver using SecretProviderClass and Secrets Manager Assuming you have Configured/Installed AWS CLI, EKSCTL, KUBECTL, HELM. CSI Basic Information: CSI (Container Storage Interface) widely used as a Storage Technology. Created by Google | Mesosphere | Docker.  It has two two Plugins one runs on the Master Node (Centralized Controller Plugin) and another one on Worker Nodes (Decentralized headless Node Plugin).  CSI communication protocol is gRPC.   The communication between Container Orchestration to Controller Plugin (Master) and to Node Plugin (Worker Node) happens using gRPC .  CSI Drivers : vendor specific compiled into Kubernetes/openshift binaries. To use a CSI driver, a StorageClass needs to be assigned first.  The CSI driver is then set as the Provisioner for the Storage Class. CSI drivers provide three main service...
Post a Comment
Read more

Linux Systems Performance/Observability (BPF (bpfcc-tools), BCC Tools

  Linux System Performance/Observability Tools Linux Systems Performance/Observability (BPF (bpfcc-tools), BCC Tools Assuming you have Linux Server in place and have the required BPF aka BCC related packages installed on the system(s) for the required Linux distribution. BPF(eBPF) aka BCC Tools (bpfcc-tools) : BPF, which originally stood for Berkley Packet Filter is the dynamic tracing tools for Linux Systems.  BPF initially used for the speeding up for the tcpdump expressions and since then it has been know as the extended Berkley packet Filter (eBPF).  Its new uses are Tracing Tools where it provides programmability for the BPF Compiler Collection (BCC) and bpftrace front ends .   Example: execsnoop, biosnoop etc is a BCC Tool. When facing production performance crisis these such list of tools comes handy to trace and fix the issue. However, it requires certain KERNEL level config options to be enabled such as CONFIG_FTRACE, CONFIG_BPF. Profiling tools typically re...
Post a Comment
Read more