View All Products
Compute
Storage
Databases
Networking
Developer Tools
Delivery
Security
Services
Industries
Pricing
Community
Engage With Us
Community Questions System hacked to send mass spam
Log in to Ask a Question

System hacked to send mass spam

email

Is there any easy way I can know how many emails are being sent each hour or so in Ubuntu using Postifx?

3 Replies

https://github.com/sleddoggy/mail-count

Thanks, that's good.

But by now I've configure to use : http://jimsun.linxnet.com/postfix_contrib.html

And I'm extracting the message received using regular expression from this type of output. Is it OK to do?

> Grand Totals

–----------

messages

651 received

551 delivered

0 forwarded

145 deferred (1406 deferrals)

63 bounced

1 rejected (0%)

0 reject warnings

0 held

0 discarded (0%)

2184k bytes received

2199k bytes delivered

10 senders

7 sending hosts/domains

88 recipients

14 recipient hosts/domains 

use subs 'strict';
use POSIX qw(strftime);

use Net::SMTP;

sub email;

my $WORKAREA  = "/home/myaccount/scripts/pflogsumm-1.1.3";
my $TRACKFILE = "$WORKAREA/trackfile";
my @now       = localtime;

#open log file

if ( !open LOGFP, ">>$WORKAREA/check_postfix_emails_sent.log" ) {
    email("Failed: Unable to open the log file");
}

my $str = "Started running now :", strftime( "%Y-%m-%d %H:%M:%S", localtime ),
  "\n";
print $str;
print LOGFP $str;

if ( !open FP,
    "/usr/bin/perl $WORKAREA/pflogsumm.pl -d today /var/log/mail.log|" )
{
    email("Failed: perl pflogsumm.pl /var/log/mail.log|");
    die;
}

$/ = undef;

my $content = <fp>;

if ( $content =~ m/Grand Totals\s+------------\s+messages\s+(\d+)\s+received/s )
{
    my $messagesSent = $1;    #today's messages received

    print "Total messages sent till now =$messagesSent\n";

    if ( $messagesSent > 300 && $messagesSent < 800 ) {
        email(
            "Too many emails sent",
"Till now $messagesSent emails have been sent! Please check it immediately 7y782p3"
        );
        die;
    }
    if ( $messagesSent > 1100 ) {
        email(
            "Too many emails sent",
"Till now $messagesSent emails have been sent! Please check it immediately 7y782p3"
        );
        email(
            "Postfix stopped",
"For safety postfix server has been stopped! .Till now $messagesSent emails have been sent! Please check it immediately 7y782p3"
        );
        system("/usr/sbin/service postfix stop");
        die;
    }

    if ( -f $TRACKFILE ) {

        #see if 7 days passed since changed time
        my $stats = stat($TRACKFILE)

          if ( time > $stats[9] + 7 * 24 * 60 * 60 ) {
            email( "All Success", "No problems found!" );
        }
    }
    else {

        #create the file
        open( TRACKFILE__, ">$TRACKFILE" );
        email( "All Success", "No problems found!" );    
    }
    print "No problems found\n";

}</fp>

pflogsumm is an excellent script, but it doesn't readily distinguish between smtp deliveries and local deliveries (which includes inbound mail and user-to-user mail). Everything is included in 'Deliveries'.

My mail-count script look only for SMTP outbound messages. I think that's what we need to watch to detect possibile (outgoing) exploitation / spam abuse.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Log in to Reply
Community Code of Conduct