Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Fighting spam by mail queue monitoring

Discussion in 'E-mail Discussion' started by willsborrow, Oct 10, 2017.

  1. willsborrow

    willsborrow Registered

    Joined:
    Oct 10, 2017
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Thailand
    cPanel Access Level:
    Root Administrator
    I would like to share a story to stop spam email by mail queue monitoring. The idea behind is get the mail queue every minute. When spam attacks, it sends an alert via email. From my experience, I classify spam mail by source into two types. First, spam sends out via http from scripts. Second, spam sends out by users from weak password or Trojan/Virus in the user’s computer. I used 2 scripts handle both types.

    First: Script to get source of sending email. This script will find the users who send email the most from the mail that pending in the queue.

    Code:
    #!/bin/sh
    CMD=$(/usr/sbin/exim -bpr |awk '/\s*[0-9]+(h|m|d)\s/{h=$0}{c[h]++}END{for(i in c)print i, c[i]-1}'|sed 's/\*//g'|sed 's/frozen//g'|awk '{print $3}'|grep -vE '^$')
    IFS=' ' read -r -a array <<< $CMD
    for element in "${array[@]}"
    do
       OUTPUT1=$(/usr/sbin/exim -Mvh "$element"|grep 'Received: '|grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}'|head -1)
       if [ "$OUTPUT1" != "" ]; then
          OUTPUT2=$(/usr/sbin/exim -Mvh "$element"|grep auth_id)
          INFO="$INFO\n$OUTPUT1 $OUTPUT2"
       fi
    done
    echo -e "$INFO"|awk '{print $3}'|grep -vE '^$'|sort|uniq -c|sort -rn|head -1|awk '{print "Maximum of",$1,"mails are own by",$2}'
    
    Second: Script to send notification. When the number of mail reaches certain threshold, it will drill down to look for the script location and run the first script. Then send email. In here, I set it to 150. If the number of pending mails reach 150, it will try to get more info and send the alert.

    Code:
    #!/bin/sh
    ABNORMAL_NUMBER=150
    EMAIL=”XXX@XXX.COM”
    
    #DO NOT CHANGE BELOW THIS LINE
    qnum=$(/usr/sbin/exim -bpr | grep "<" | wc -l)
    if (( $qnum > $ABNORMAL_NUMBER ));
    then
            script_mail=$(tail --lines=5000 /var/log/exim_mainlog|sed -ne "s|$(date +%F).*cwd=\(/home[^ ]*\).*$|\1|p"| sort | uniq -c | awk '{printf "%d %s\n",$1,$2}' | sort -rn|head -n 1)
            script_num=$(echo "$script_mail"|awk '{split($0,a," "); print a[1]}')
            script_loc=$(echo "$script_mail"|awk '{split($0,a," "); print a[2]}')
            script_threshold=$(echo $ABNORMAL_NUMBER 0.5 | awk '{printf "%0.0f\n",$1*$2}')
            if (( $script_num > $script_threshold ));
            then
                    script_mailbody=$(echo "Number of mail queue is $qnum.\n$script_num emails have been send out recently by script locating at $script_loc")
            fi
            mailbody=$(/root/mailqinfo)
            printf "$script_mailbody\n$mailbody" | mail -s "MAIL ALERT!" $EMAIL
    fi
    
    I put the second script via cron job and it work well so far. I hope these maybe useful to my friends who face the same problem.

    PS. I got the scripts and modified from
    botscout.net/blog/fighting-spam-by-mail-queue-monitoring-on-cpanel-server
    endlessgeek.com/2014/03/exim-spam-hunting-essential-one-liners
     
    #1 willsborrow, Oct 10, 2017
    Last edited by a moderator: Oct 10, 2017
  2. HostingH

    HostingH Well-Known Member

    Joined:
    Jan 13, 2008
    Messages:
    126
    Likes Received:
    18
    Trophy Points:
    68
    cPanel Access Level:
    Root Administrator
    Try following cmds,

    [root]#exim -bpr | grep "<*@*>" | awk '{print $4}'|grep -v "<>" |awk -F "@" '{ print $2}' | sort | uniq -c | sort -n
    [root]#exim -bpr | grep "<*@*>" | awk '{print $4}'|grep -v "<>" | sort | uniq -c | sort -n
    [root]#awk '{ if ($0 ~ "cwd" && $0 ~ "home") {print $3} }' /var/log/exim_mainlog | sort | uniq -c | sort -nk 1

    Very easy to catch the spammer.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    45,142
    Likes Received:
    1,932
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello,

    Thanks for sharing!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. Sarangi Tech Solution

    Joined:
    May 2, 2017
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    india
    cPanel Access Level:
    Reseller Owner
    @willsborrow thank for the solution , what is the extention for this script files ?
     
  5. Sarangi Tech Solution

    Joined:
    May 2, 2017
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    india
    cPanel Access Level:
    Reseller Owner
    @willsborrow i am new one with linux commanding . so i ask you the extension of the file . and i have tried the above solution with cron job but when the cron excecute the .sh file content is sending to the mail not the expected output. how can i overcome this situation ? i hope you have understand what i say, i am waiting for your kind support thank you
     
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice