Fighting spam by mail queue monitoring

I would like to share a story to stop spam email by mail queue monitoring. The idea behind is get the mail queue every minute. When spam attacks, it sends an alert via email. From my experience, I classify spam mail by source into two types. First, spam sends out via http from scripts. Second, spam sends out by users from weak password or Trojan/Virus in the user"s computer. I used 2 scripts handle both types. First: Script to get source of sending email. This script will find the users who send email the most from the mail that pending in the queue.


#!/bin/sh
CMD=$(/usr/sbin/exim -bpr |awk '/\s*[0-9]+(h|m|d)\s/{h=$0}{c[h]++}END{for(i in c)print i, c-1}'|sed 's/\*//g'|sed 's/frozen//g'|awk '{print $3}'|grep -vE '^$')
IFS=' ' read -r -a array <<< $CMD
for element in "${array[@]}"
do
   OUTPUT1=$(/usr/sbin/exim -Mvh "$element"|grep 'Received: '|grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}'|head -1)
   if [ "$OUTPUT1" != "" ]; then
      OUTPUT2=$(/usr/sbin/exim -Mvh "$element"|grep auth_id)
      INFO="$INFO\n$OUTPUT1 $OUTPUT2"
   fi
done
echo -e "$INFO"|awk '{print $3}'|grep -vE '^$'|sort|uniq -c|sort -rn|head -1|awk '{print "Maximum of",$1,"mails are own by",$2}'

Second: Script to send notification. When the number of mail reaches certain threshold, it will drill down to look for the script location and run the first script. Then send email. In here, I set it to 150. If the number of pending mails reach 150, it will try to get more info and send the alert.


#!/bin/sh
ABNORMAL_NUMBER=150
EMAIL="XXX@XXX.COM"

#DO NOT CHANGE BELOW THIS LINE
qnum=$(/usr/sbin/exim -bpr | grep "<" | wc -l)
if (( $qnum > $ABNORMAL_NUMBER ));
then
        script_mail=$(tail --lines=5000 /var/log/exim_mainlog|sed -ne "s|$(date +%F).*cwd=\(/home[^ ]*\).*$|\1|p"| sort | uniq -c | awk '{printf "%d %s\n",$1,$2}' | sort -rn|head -n 1)
        script_num=$(echo "$script_mail"|awk '{split($0,a," "); print a[1]}')
        script_loc=$(echo "$script_mail"|awk '{split($0,a," "); print a[2]}')
        script_threshold=$(echo $ABNORMAL_NUMBER 0.5 | awk '{printf "%0.0f\n",$1*$2}')
        if (( $script_num > $script_threshold ));
        then
                script_mailbody=$(echo "Number of mail queue is $qnum.\n$script_num emails have been send out recently by script locating at $script_loc")
        fi
        mailbody=$(/root/mailqinfo)
        printf "$script_mailbody\n$mailbody" | mail -s "MAIL ALERT!" $EMAIL
fi

I put the second script via cron job and it work well so far. I hope these maybe useful to my friends who face the same problem. PS. I got the scripts and modified from botscout.net/blog/fighting-spam-by-mail-queue-monitoring-on-cpanel-server endlessgeek.com/2014/03/exim-spam-hunting-essential-one-liners

HostingH

October 10, 2017 10:06

Try following cmds, [root]#exim -bpr | grep "<*@*>" | awk '{print $4}'|grep -v "<>" |awk -F "@" '{ print $2}' | sort | uniq -c | sort -n [root]#exim -bpr | grep "<*@*>" | awk '{print $4}'|grep -v "<>" | sort | uniq -c | sort -n [root]#awk '{ if ($0 ~ "cwd" && $0 ~ "home") {print $3} }' /var/log/exim_mainlog | sort | uniq -c | sort -nk 1 Very easy to catch the spammer.

cPanelMichael

October 10, 2017 18:13

Hello, Thanks for sharing!

Sarangi Tech Solution

October 25, 2017 08:15

@willsborrow thank for the solution, what is the extention for this script files ?

November 13, 2017 11:01

@willsborrow i am new one with linux commanding . so i ask you the extension of the file . and i have tried the above solution with cron job but when the cron excecute the .sh file content is sending to the mail not the expected output. how can i overcome this situation ? i hope you have understand what i say, i am waiting for your kind support thank you

Fighting spam by mail queue monitoring

Comments

Didn't find what you were looking for?