Topic: Limiting outgoing email from a local user

[holck]

Recently, spammers were able to guess the password of a user account, and used this account to send thousands of spam-mails in a very short time.

To limit the propability of this happening again, I've been working on a small script that monitors qmail's log-file. If the script detects that the number of emails sent from a user account is over a certain threshold, appropriate action can be taken. Right now, the script does nothing but write in a log file of its own.

I know that spammers can fake the from-address, so of course this script will not be guaranteed to block spam attacks. But hopefully it will block some attacks. Please have a look at the script and provide some feedback.

Code: [Select]

#!/usr/bin/perl -w
use Time::TAI64 qw/tai2unix unixtai64 tai64nlocal/;
use File::Tail;
use strict;
use warnings;

my (%stats, $line, $timestamp, $from, %blacklist);
my $qmail_logfile = File::Tail -> new(name=>"/var/log/qmail/current", tail=> -1);
my $interval = 1800;   # 30 minutes
my $max      = 10;     # 10 emails - really low number, just for test purposes

open (LOG, ">>", "logfile2");
select((select(LOG), $|=1)[0]);   # Disable buffering
print LOG "Starting ...\n";

# Typical log line
# @40000000571c9b1d32a4496c info msg 101581385: bytes 26018 from <user.name@domain.org> qp 21365 uid 400
#

while (defined($line = $qmail_logfile->read)) {
  chomp $line;
  next unless ($line =~ /\sinfo\s/);
  if ($line =~ /^(@[0-9,a-f]+)\sinfo\smsg\s.*from\s<(\S+)>\s/) {
    $timestamp = tai2unix($1);
    $from = $2;
    next unless ($from =~ /\w/);
    if (exists ($stats{$from})) {
      push @{$stats{$from}}, $timestamp
    } else {
      $stats{$from} = [$timestamp]
    }
# Add new timestamp           
    push @{$stats{$from}}, $timestamp;
# Delete obsolete timestamps
    while ($stats{$from}[0] < $timestamp - $interval) {
      shift @{$stats{$from}}
    }
# Check if limit is exceeded
    my $readable_timestamp = tai64nlocal(unixtai64($timestamp));
    $readable_timestamp =~ s/\.\d*//;
    if  ( (scalar @{$stats{$from}} > $max) &&
          (not exists($blacklist{$from}))
        ) {
       $blacklist{$from} = 1; 
       print LOG "Maximum exceeded for $from at $readable_timestamp\n";
    } elsif ( (scalar @{$stats{$from}} <= $max) &&
              (exists($blacklist{$from}))
            ) {
      delete $blacklist{$from};
      print LOG "Mail from $from accepted again at $readable_timestamp\n";
    }
  }
}


[ReetP]

There are various acripts for email stuff on the wiki and this would be a good addition.

I had been thinking of trying to roll some into a contrib. Will have a look next week.

[Bud]

holck thank you for the script

please can you recommend where i place the script and what log file i must view

when i use the script mention this is what i get. btw i called the script " spamcheck.sh "
i am using sme 9.1 64bit

./spamcheck
-bash: ./spamcheck: No such file or directory
[root@taftamail sbin]# ./spamcheck.sh
Can't locate File/Tail.pm in @INC (@INC contains: /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_                   perl /usr/share/perl5/vendor_perl /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/                   perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at ./spamcheck.sh line 3.
BEGIN failed--compilation aborted at ./spamcheck.sh line 3.

please can you indicate what i need to do to get it to run.

ReetP where in the wiki can i get more scripts or do you have a contrib?

sorry for the noob questions

[ReetP]

please can you recommend where i place the script and what log file i must view

Make yourself a scripts directory somewhere. Probably in root or opt Just make sure the permissions are limited.

Note that file is in PERL, not bash. Save it as spamcheck.pl

Then use

/somedirectory/spamcheck.pl

or

perl /somedirectory/spamcheck.pl

[root@taftamail sbin]# ./spamcheck.sh
Can't locate File/Tail.pm

There is your issue. Missing Tail.pm perl module.

please can you indicate what i need to do to get it to run.

1. Do what I did - have a good read first.

2. You can get it from EPEL

https://wiki.contribs.org/Epel#tab=For_SME_9_x

yum --enablerepo=epel  install perl-File-Tail

ReetP where in the wiki can i get more scripts or do you have a contrib?

The wiki is a MINE of useful information. Please browse it. Learn where things are stored. Search it.

https://wiki.contribs.org/Email
https://wiki.contribs.org/Email_Statistics
https://wiki.contribs.org/Mailstats
https://wiki.contribs.org/Qmhandle_mail_queue_manager
https://wiki.contribs.org/Useful_Commands
https://wiki.contribs.org/Mail_log_file_analysis

I am sure there is more but I haven't the time to look right now.

sorry for the noob questions

Fine, if you are prepared to read a lot and educate yourself

B Rgds
John

[Bud]

ReetP

thank you very much for your help, much appreciated.

i am trying to find out where spam is originating from my users computers ie: what computer(s) is possibly compromised.

i have installed the Qmail Statistics ( Awstats ) contrib and there is a user " anonymous@mysmeserver.com " that is sending out mail. i am trying to find out what pc is doing this hence the script by holck

1. when i run the script ( using putty ) it does not return to the prompt. must i wait for the script to finish or does it run in the background?

2. " To limit the probability of this happening again, I've been working on a small script that monitors qmail's log-file. If the script detects that the number of emails sent from a user account is over a certain threshold, appropriate action can be taken. Right now, the script does nothing but write in a log file of its own. " - where is the log file?

sorry 

[ReetP]

Sorry, late for me and too much of my friends  but something to check....

Do you have some reporting or other app you installed ?

For instance I have some stuff installed that mails out usage reports & stuff from crons etc and those mails show as from 'anonymous' like you seem to have noticed.

I'm wondering if you might be chasing ghosts here ?!

The other thing is to check your maillogs visually.

/var/log/... qpsmtpd sqpsmtpd qmail

To see them actually running cd to the directory and try something like:

tailf current | tai64nlocal

Will check your other points tomorrow.

B. Rgds
John

[CharlieBrady]

i am trying to find out where spam is originating from my users computers ie: what computer(s) is possibly compromised.

The most reliable way to do that is to stop qmail, identify one or more spam messages in the mail queue, and look at the Received: headers which show the IP address of the originating computer.

i have installed the Qmail Statistics ( Awstats ) contrib and there is a user " anonymous@mysmeserver.com " that is sending out mail. i am trying to find out what pc is doing this hence the script by holck

All you need to do is look through the qpsmtpd logs - /var/log/qpsmtpd/current.

[Bud]

CharlieBrady thank you for your help

" The most reliable way to do that is to stop qmail, identify one or more spam messages in the mail queue, and look at the Received: headers which show the IP address of the originating computer. " would that be in [ Server Manager > View Log Files > messages ] ?

[ReetP]

Bud,

See my reply above but yes you should be able to view them in the server manager too.

B. Rgds
John

[CharlieBrady]

CharlieBrady thank you for your help

" The most reliable way to do that is to stop qmail, identify one or more spam messages in the mail queue, and look at the Received: headers which show the IP address of the originating computer. " would that be in [ Server Manager > View Log Files > messages ] ?

No, you cannot view email messages which are in the qmail queue from "View Log Files" in the server manager. The "messages" file you can view in the server-manager is a file full of syslog messages.

Each email message which is in the qmail queue will occupy a file with a path of the form:

/var/qmail/queue/mess/N/NNNNN

You can see a list of them by doing:

find /var/qmail/queue/mess -type f

[CharlieBrady]

See my reply above but yes you should be able to view them in the server manager too.

Not email message content, only log files.

[holck]

1. when i run the script ( using putty ) it does not return to the prompt. must i wait for the script to finish or does it run in the background?

2. " To limit the probability of this happening again, I've been working on a small script that monitors qmail's log-file. If the script detects that the number of emails sent from a user account is over a certain threshold, appropriate action can be taken. Right now, the script does nothing but write in a log file of its own. " - where is the log file?

sorry 

1. The script is designed to run in the background. Save it to a file called spamcheck.pl, and then

• $ chmod 755 spamcheck.pl
• $ ./spamcheck.pl &

The script will then run "forever" (until it is killed or the server is rebooted).

2. The script knows the location of the log file (/var/log/qmail/current), you don't have to take care of that

[janet]

holck

I am not trying to be a party pooper regarding your script writing & system analysis techniques, but have you really considered the most obvious issue.

.....Recently, spammers were able to guess the password of a user account.....

Best thing would be to strengthen passwords & insist/force users to use strong passwords that are difficult to guess.
Here is a starting point:
https://wiki.contribs.org/SME_Server:Documentation:FAQ:Section01#Password_Strength_Checking

What does this command show
config show passwordstrength