Fighting spam by mail queue monitoring

willsborrow

Registered
Oct 10, 2017
1
0
1
Thailand
cPanel Access Level
Root Administrator
I would like to share a story to stop spam email by mail queue monitoring. The idea behind is get the mail queue every minute. When spam attacks, it sends an alert via email. From my experience, I classify spam mail by source into two types. First, spam sends out via http from scripts. Second, spam sends out by users from weak password or Trojan/Virus in the user’s computer. I used 2 scripts handle both types.

First: Script to get source of sending email. This script will find the users who send email the most from the mail that pending in the queue.

Code:
#!/bin/sh
CMD=$(/usr/sbin/exim -bpr |awk '/\s*[0-9]+(h|m|d)\s/{h=$0}{c[h]++}END{for(i in c)print i, c[i]-1}'|sed 's/\*//g'|sed 's/frozen//g'|awk '{print $3}'|grep -vE '^$')
IFS=' ' read -r -a array <<< $CMD
for element in "${array[@]}"
do
   OUTPUT1=$(/usr/sbin/exim -Mvh "$element"|grep 'Received: '|grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}'|head -1)
   if [ "$OUTPUT1" != "" ]; then
      OUTPUT2=$(/usr/sbin/exim -Mvh "$element"|grep auth_id)
      INFO="$INFO\n$OUTPUT1 $OUTPUT2"
   fi
done
echo -e "$INFO"|awk '{print $3}'|grep -vE '^$'|sort|uniq -c|sort -rn|head -1|awk '{print "Maximum of",$1,"mails are own by",$2}'
Second: Script to send notification. When the number of mail reaches certain threshold, it will drill down to look for the script location and run the first script. Then send email. In here, I set it to 150. If the number of pending mails reach 150, it will try to get more info and send the alert.

Code:
#!/bin/sh
ABNORMAL_NUMBER=150
EMAIL=”[email protected]”

#DO NOT CHANGE BELOW THIS LINE
qnum=$(/usr/sbin/exim -bpr | grep "<" | wc -l)
if (( $qnum > $ABNORMAL_NUMBER ));
then
        script_mail=$(tail --lines=5000 /var/log/exim_mainlog|sed -ne "s|$(date +%F).*cwd=\(/home[^ ]*\).*$|\1|p"| sort | uniq -c | awk '{printf "%d %s\n",$1,$2}' | sort -rn|head -n 1)
        script_num=$(echo "$script_mail"|awk '{split($0,a," "); print a[1]}')
        script_loc=$(echo "$script_mail"|awk '{split($0,a," "); print a[2]}')
        script_threshold=$(echo $ABNORMAL_NUMBER 0.5 | awk '{printf "%0.0f\n",$1*$2}')
        if (( $script_num > $script_threshold ));
        then
                script_mailbody=$(echo "Number of mail queue is $qnum.\n$script_num emails have been send out recently by script locating at $script_loc")
        fi
        mailbody=$(/root/mailqinfo)
        printf "$script_mailbody\n$mailbody" | mail -s "MAIL ALERT!" $EMAIL
fi
I put the second script via cron job and it work well so far. I hope these maybe useful to my friends who face the same problem.

PS. I got the scripts and modified from
botscout.net/blog/fighting-spam-by-mail-queue-monitoring-on-cpanel-server
endlessgeek.com/2014/03/exim-spam-hunting-essential-one-liners
 
Last edited by a moderator:

HostingH

Well-Known Member
Jan 13, 2008
125
17
68
cPanel Access Level
Root Administrator
Try following cmds,

[root]#exim -bpr | grep "<*@*>" | awk '{print $4}'|grep -v "<>" |awk -F "@" '{ print $2}' | sort | uniq -c | sort -n
[root]#exim -bpr | grep "<*@*>" | awk '{print $4}'|grep -v "<>" | sort | uniq -c | sort -n
[root]#awk '{ if ($0 ~ "cwd" && $0 ~ "home") {print $3} }' /var/log/exim_mainlog | sort | uniq -c | sort -nk 1

Very easy to catch the spammer.
 
May 2, 2017
9
0
1
india
cPanel Access Level
Reseller Owner
@willsborrow i am new one with linux commanding . so i ask you the extension of the file . and i have tried the above solution with cron job but when the cron excecute the .sh file content is sending to the mail not the expected output. how can i overcome this situation ? i hope you have understand what i say, i am waiting for your kind support thank you