Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Fighting spam by mail queue monitoring

Discussion in 'E-mail Discussions' started by willsborrow, Oct 10, 2017.

  1. willsborrow

    willsborrow Registered

    Joined:
    Oct 10, 2017
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Thailand
    cPanel Access Level:
    Root Administrator
    I would like to share a story to stop spam email by mail queue monitoring. The idea behind is get the mail queue every minute. When spam attacks, it sends an alert via email. From my experience, I classify spam mail by source into two types. First, spam sends out via http from scripts. Second, spam sends out by users from weak password or Trojan/Virus in the user’s computer. I used 2 scripts handle both types.

    First: Script to get source of sending email. This script will find the users who send email the most from the mail that pending in the queue.

    Code:
    #!/bin/sh
    CMD=$(/usr/sbin/exim -bpr |awk '/\s*[0-9]+(h|m|d)\s/{h=$0}{c[h]++}END{for(i in c)print i, c[i]-1}'|sed 's/\*//g'|sed 's/frozen//g'|awk '{print $3}'|grep -vE '^$')
    IFS=' ' read -r -a array <<< $CMD
    for element in "${array[@]}"
    do
       OUTPUT1=$(/usr/sbin/exim -Mvh "$element"|grep 'Received: '|grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}'|head -1)
       if [ "$OUTPUT1" != "" ]; then
          OUTPUT2=$(/usr/sbin/exim -Mvh "$element"|grep auth_id)
          INFO="$INFO\n$OUTPUT1 $OUTPUT2"
       fi
    done
    echo -e "$INFO"|awk '{print $3}'|grep -vE '^$'|sort|uniq -c|sort -rn|head -1|awk '{print "Maximum of",$1,"mails are own by",$2}'
    
    Second: Script to send notification. When the number of mail reaches certain threshold, it will drill down to look for the script location and run the first script. Then send email. In here, I set it to 150. If the number of pending mails reach 150, it will try to get more info and send the alert.

    Code:
    #!/bin/sh
    ABNORMAL_NUMBER=150
    EMAIL=”XXX@XXX.COM”
    
    #DO NOT CHANGE BELOW THIS LINE
    qnum=$(/usr/sbin/exim -bpr | grep "<" | wc -l)
    if (( $qnum > $ABNORMAL_NUMBER ));
    then
            script_mail=$(tail --lines=5000 /var/log/exim_mainlog|sed -ne "s|$(date +%F).*cwd=\(/home[^ ]*\).*$|\1|p"| sort | uniq -c | awk '{printf "%d %s\n",$1,$2}' | sort -rn|head -n 1)
            script_num=$(echo "$script_mail"|awk '{split($0,a," "); print a[1]}')
            script_loc=$(echo "$script_mail"|awk '{split($0,a," "); print a[2]}')
            script_threshold=$(echo $ABNORMAL_NUMBER 0.5 | awk '{printf "%0.0f\n",$1*$2}')
            if (( $script_num > $script_threshold ));
            then
                    script_mailbody=$(echo "Number of mail queue is $qnum.\n$script_num emails have been send out recently by script locating at $script_loc")
            fi
            mailbody=$(/root/mailqinfo)
            printf "$script_mailbody\n$mailbody" | mail -s "MAIL ALERT!" $EMAIL
    fi
    
    I put the second script via cron job and it work well so far. I hope these maybe useful to my friends who face the same problem.

    PS. I got the scripts and modified from
    botscout.net/blog/fighting-spam-by-mail-queue-monitoring-on-cpanel-server
    endlessgeek.com/2014/03/exim-spam-hunting-essential-one-liners
     
    #1 willsborrow, Oct 10, 2017
    Last edited by a moderator: Oct 10, 2017
  2. HostingH

    HostingH Well-Known Member

    Joined:
    Jan 13, 2008
    Messages:
    98
    Likes Received:
    10
    Trophy Points:
    58
    cPanel Access Level:
    Root Administrator
    Try following cmds,

    [root]#exim -bpr | grep "<*@*>" | awk '{print $4}'|grep -v "<>" |awk -F "@" '{ print $2}' | sort | uniq -c | sort -n
    [root]#exim -bpr | grep "<*@*>" | awk '{print $4}'|grep -v "<>" | sort | uniq -c | sort -n
    [root]#awk '{ if ($0 ~ "cwd" && $0 ~ "home") {print $3} }' /var/log/exim_mainlog | sort | uniq -c | sort -nk 1

    Very easy to catch the spammer.
     
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,424
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
Loading...

Share This Page