Linode Forum
https://forum.linode.com/

System hacked to send mass spam
https://forum.linode.com/viewtopic.php?f=11&t=11394		 Page 1 of 1
Author:  rag_gupta [ Thu Oct 30, 2014 2:12 am ]
Post subject:  System hacked to send mass spam
Is there any easy way I can know how many emails are being sent each hour or so in Ubuntu using Postifx?
Author:  sleddog [ Thu Oct 30, 2014 6:35 am ]
Post subject:  Re: System hacked to send mass spam
https://github.com/sleddoggy/mail-count
Author:  rag_gupta [ Thu Oct 30, 2014 6:39 am ]
Post subject:  Re: System hacked to send mass spam
Thanks, that's good.

But by now I've configure to use : http://jimsun.linxnet.com/postfix_contrib.html

And I'm extracting the message received using regular expression from this type of output. Is it OK to do?


Quote:
Grand Totals
------------
messages

651 received
551 delivered
0 forwarded
145 deferred (1406 deferrals)
63 bounced
1 rejected (0%)
0 reject warnings
0 held
0 discarded (0%)

2184k bytes received
2199k bytes delivered
10 senders
7 sending hosts/domains
88 recipients
14 recipient hosts/domains



Code:

use subs 'strict';
use POSIX qw(strftime);

use Net::SMTP;

sub email;

my $WORKAREA  = "/home/myaccount/scripts/pflogsumm-1.1.3";
my $TRACKFILE = "$WORKAREA/trackfile";
my @now       = localtime;

#open log file

if ( !open LOGFP, ">>$WORKAREA/check_postfix_emails_sent.log" ) {
   email("Failed: Unable to open the log file");
}

my $str = "Started running now :", strftime( "%Y-%m-%d %H:%M:%S", localtime ),
  "\n";
print $str;
print LOGFP $str;

if ( !open FP,
   "/usr/bin/perl $WORKAREA/pflogsumm.pl -d today /var/log/mail.log|" )
{
   email("Failed: perl pflogsumm.pl /var/log/mail.log|");
   die;
}

$/ = undef;

my $content = <FP>;

if ( $content =~ m/Grand Totals\s+------------\s+messages\s+(\d+)\s+received/s )
{
   my $messagesSent = $1;    #today's messages received

   print "Total messages sent till now =$messagesSent\n";

   if ( $messagesSent > 300 && $messagesSent < 800 ) {
      email(
         "Too many emails sent",
"Till now $messagesSent emails have been sent! Please check it immediately 7y782p3"
      );
      die;
   }
   if ( $messagesSent > 1100 ) {
      email(
         "Too many emails sent",
"Till now $messagesSent emails have been sent! Please check it immediately 7y782p3"
      );
      email(
         "Postfix stopped",
"For safety postfix server has been stopped! .Till now $messagesSent emails have been sent! Please check it immediately 7y782p3"
      );
      system("/usr/sbin/service postfix stop");
      die;
   }

   if ( -f $TRACKFILE ) {

      #see if 7 days passed since changed time
      my $stats = stat($TRACKFILE)

        if ( time > $stats[9] + 7 * 24 * 60 * 60 ) {
         email( "All Success", "No problems found!" );
      }
   }
   else {

      #create the file
      open( TRACKFILE__, ">$TRACKFILE" );
      email( "All Success", "No problems found!" );    
   }
   print "No problems found\n";

}
Author:  sleddog [ Thu Oct 30, 2014 12:45 pm ]
Post subject:  Re: System hacked to send mass spam
pflogsumm is an excellent script, but it doesn't readily distinguish between smtp deliveries and local deliveries (which includes inbound mail and user-to-user mail). Everything is included in 'Deliveries'.

My mail-count script look only for SMTP outbound messages. I think that's what we need to watch to detect possibile (outgoing) exploitation / spam abuse.
Page 1 of 1 All times are UTC-04:00
Powered by phpBB® Forum Software © phpBB Group
http://www.phpbb.com/