Archive for Feb 5, 2013
by
Rohit Patel
Rohit Patel
Tcpdump Tips & Tricks
by
Rohit Patel
Rohit Patel
Finding spammers and dealing with floods of excess mail
Finding Spammers and Dealing with Floods
One of the handiest command I use for administering our exim mail servers is the following:
smtp3:~# exim -bp | exiqsumm
Count Volume Oldest Newest Domain
—– —— —— —— ——
1 3072 5h 5h domainName1.com
1 3174 77m 77m domainName2.com
1 7577 74m 74m domainName3.com
52 5120 8h 8h domainName3.com
This gives me a nice breakdown of who my top talkers are and the total volume sent to each domain etc.
Let’s say I suspect a mail attack and have a rogue spammer on my network. One of the easiest way to see this is by simply tailing out the exim mainlog as follows and looking for repeat entries of the same type:
serverName:~# tail -f /var/log/exim_mainlog
2011-01-06 10:49:01 1PanOe-000ME1-Nn => username@domainName.com R=lookuphost T=remote_smtp H=gmail-smtp-in.l.google.com [209.85.229.27] X=TLSv1:RC4-MD5:128
2011-01-06 10:49:01 1PanOe-000ME1-Nn Completed
2011-01-06 10:49:05 H=hostname.domainName.com (hostname.domainname.com) [62.XXX.XXX.XXX] Warning: HELO VERIFY hostname.domainName.com hostname.domainName.com
2011-01-06 10:49:10 no host name found for IP address 87.XXX.XXX.XXX
2011-01-06 10:49:10 H=([192.168.1.101]) [87.192.64.67] Warning: HELO VERIFY [192.168.1.101]
2011-01-06 10:49:11 1PanP5-000MEI-2e <= username@sampleDomain.com H=([192.168.1.101]) [87.192.64.67] P=esmtp S=706 id=C94B4EC7.3AC3%username@sampleDomain.com
Let’s say I see a huge amount of mail all showing with a specific recipient and wish to find the message id’s for this.
I can then run the following command:
serverName:~# exipick -i ‘$recipients eq username@sampleDomain.com’ | wc -l
295
Now. If I wish to remove all this Spam mail from my server,
I simply pipe this to xargs and exim -Mrm and this will then remove all mail for this user:
serverName:~# exipick -i ‘$recipients eq username@sampleDomain.com’ | xargs exim -Mrm
Likewise, if I identify an IP address, which I believe to be the spammer, I can then find all messages from this IP as follows:
serverName:~# exipick -i ‘$sender_host_address eq XXX.XXX.XXX.XXX’ | wc -l
58
Again, to remove all of these mails, I simply do the following :
serverName:~# exipick -i ‘$sender_host_address eq XXX.XXX.XXX.XXX’ | xargs exim -Mrm
One or two other things you may find useful. To see the mail headers of a specific mail, try the following:
smtp4:~# exim -Mvh 1PemWa-00005A-Pb
1PemWa-00005A-Pb-H
mailnull 26 6
1295260884 0
-helo_name hostname.com
-host_address XXX.XXX.XXX.XXX.22535
-interface_address XXX.XXX.XXX.XXX.25
-received_protocol esmtp
-body_linecount 58
-host_lookup_failed
XX
1
username@hostname.com
240P Received: from [XXX.XXX.XXX.XXX] (helo=hostname.com)
by smtpserver.domainName.com with esmtp (Exim 4.67 (FreeBSD))
(envelope-from )
OR
To see the entire body of this same message, just try :
smtp4:~# exim -Mvb 1PemWa-00005A-Pb
1PemWa-00005A-Pb-D
And that’s about it for now. There are many clever ways to monitor your mail queues and ensure Spam is kept to a minimum. The above should give you a good start though.
Another good way to keep track of things is to run eximstate on all Exim-based mail servers. This is a handy rrd based graphing tool to keep track of your mail queues, and you can use this to post process the results etc.
FEED
SUPPORT
VISIT COUNTER !!
Translate
Get In Touch
Visitor Status
Category List
AJAX
Android and iOS
Apache Web Server
ASP.NET AJAX
CCNA
CISCO - IPSEC
Cisco-CCIE
CISSP
Cryptography
DNS
Dual And Triple Boot OS
Ethical Hacking
Exim
Farewell Party Pics
FTP Server
Google Hacks
Google Page Rank
Google Plus vs. Facebook
Hacking Tools
Hacking Videos Training
Hardening PHP Configuration
Hiren’s CD
How to Secure Linux Servers
HTML Injections
JAVA
Linux
Linux Malware Detect ( LMD )
LVM - Logical Volume manager
MCSE
MCTS 2008
MS-Windows
Network
Oracle
Programings
Proxy Servers
SAP
Security
Sever
Shell Scripting
SQL Server
SSH Secure Shell
SSL sites on shared IP via SNI
Virtual Defacement
Vulnerabilities In CMS
Web Attacks
Web Hosting
WEBSITE HACKING
Windows - 7
Windows App
Windows-Server
XSS Cross Site Scripting Basics