Date: 15 Jul 2001 00:54:37 MDT From: J S <spl1t_h0r1z0n@usa.net> To: "Ted Mittelstaedt" <tedm@toybox.placo.com>, "Brennan Stehling" <brennan@offwhite.net>, <freebsd-questions@FreeBSD.ORG> Subject: Re: [RE: outgoing spam detection] Message-ID: <20010715065437.285.qmail@nwcst340.netaddress.usa.net>
next in thread | raw e-mail | index | archive | help
a few other suggestions (warning, taken from a solaris system, and i'm to=
o
newbie to modify this for FreeBSD):
find /var/qmail/queue/mess -type f -exec grep \^To: {} \; | sort | uniq -=
c |
sort -nr | head -20
(you can also replace the To with From) - searches through the queue and =
will
return the number of emails to/from the 20 most frequently occurring
addresses. you can then run something like
find /var/qmail/queue/mess -type f -exec grep spammer@isuck.com{}
\; -print | grep qmail/queue
to find the specific mail that they are sending, and then vi some of the =
files
to see if it is really spam (if your policy allows this), or if they just=
can't type.
you can also tail your sendmail logs and look for deferrals. a lot of
deferrals means problems with delivery, ie smtp connection failing, host =
name
unkown, etc. if you don't want to sit and read the sendmail log, write a=
script to count the number of deferrals in x number of lines of the log, =
and
if it is over a certain number, you can have it qmail inject an email or =
page
to you. =
one further word of warning, those finds can take some time to run, and u=
se a
fair amount of processing power. =
once again i apologize i am unable to make any sytax changes necessary.
HTH
cheers
joshua
"Ted Mittelstaedt" <tedm@toybox.placo.com> wrote:
> One thing that is very characteristic of a spam run through a mailserve=
r
> is lots and lots of failed deliveries to bogus addresses. Spammers
> aren't real particular about what they send to as long as it looks
> like an e-mail address. Generally, if you watch your mail queue
> and see a sudden and giant jump of spooled messages that's a good
indication
> of a mailing problem like a spam run. You could even write a cron
> job that ran the mailq command once an hour and notify you if you had m=
ore
> than, say 100 queued messages.
> =
> You might also consider that the thrust of anything you do to detect
> misuse from your own users should be detection, not prevention. You
> don't want a spammer on your network even if they are using someone els=
e's
> mailserver on the Internet. If you lock down your own server then it
> just encourages the abusers to find someone else's server on the
> Internet to blow crud through. Better to make it easy as possible for
> your own users to spam through your own mailserver, in conjunction
> with close inspection of what your mailserver is doing, it will be much=
> more effective at identifying the troublemakers so you can throw them
> off the server (or prosecute). The last thing you want is to push them=
> underground it just makes it harder to root them out. After all, we
> aren't talking about real intelligent people here. :-)
> =
> Ted Mittelstaedt =
tedm@toybox.placo.com
> Author of: The FreeBSD Corporate Networker's
Guide
> Book website: =
http://www.freebsd-corp-net-guide.com
> =
> =
> >-----Original Message-----
> >From: owner-freebsd-questions@FreeBSD.ORG
> >[mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Brennan
> >Stehling
> >Sent: Saturday, July 14, 2001 8:27 AM
> >To: freebsd-questions@FreeBSD.ORG
> >Subject: outgoing spam detection
> >
> >
> >Is there an existing way to detect outgoing spam from a server?
> >
> >I run a FreeBSD server with qpopper and sendmail and would like to det=
ect
> >if people are sending out large amounts of mail that could be consider=
ed
> >spam. I think it would also be useful to block this behavior
> >automatically by limiting a user to only 20 to 100 messages a day, or
> >maybe 3 a minute. This way I can be sure my server is not being misus=
ed
> >by my own users. It may also be useful to have a user by user quota s=
o I
> >can adjust the bar for each user.
> >
> >I just updated my RBL lists for Sendmail...
> >
> >http://www.ordb.org/faq/#sendmail
> >
> >...and I would like to take it this extra step. Perhaps if there is n=
o
> >system to do what I am asking, I could put something together to make =
this
> >happen.
> >
> >Brennan Stehling - software developer and system administrator
> > my projects:
> > home.offwhite.net (free personal hosting)
> > www.greasydaemon.com (bsd search)
> >
> >
> >
> >To Unsubscribe: send mail to majordomo@FreeBSD.org
> >with "unsubscribe freebsd-questions" in the body of the message
> >
> =
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-questions" in the body of the message
Joshua Smith, CCNA
Data Center Technian
USA.NET
joshua.smith@corp.usa.net
"Walk with me through the Universe,
And along the way see how all of us are Connected.
Feast the eyes of your Soul,
On the Love that abounds.
In all places at once, seemingly endless,
Like your own existence."
- Stephen Hawking -
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010715065437.285.qmail>