Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

How can I set up a simple Exim processing anaylizer script like this?

Discussion in 'E-mail Discussion' started by jols, Mar 6, 2012.

  1. jols

    jols Well-Known Member

    Mar 13, 2004
    Likes Received:
    Trophy Points:

    I can almost-but-not-quite figure out a shell script for doing this. But in any case, I need a way to do the following, in order to indicate to us if one of our hosted members' has had their email password stolen/hacked.

    1 -- Examine /var/log/exim_mainlog searching for "courier_login", e.g. grepping through the newest 200 log entries (for example).

    2 -- If the same account has logged in more than 8 times in the last 200 log entries then collect a list of the accessing IP addresses (which are of course right there in the Exim log entries).

    3 -- If there are more than 3 different accessing IP addresses (to the same email account) in this list, then send an email notice with a copy of the log in name/account that is being accessed.

    Typically email account passwords which are hacked (e.g. from Windows members who have keyloggers installed on their machines, etc.), we find that the email account will then be used from accessing IPs from all over the place. In such cases, each log in seems to come from a different geographic location. So if we could just be informed of these multiple logins, to the same account, from different IPs, then we could certainly get a leg up on quickly stopping this form of abuse.

    Is there such an exim monitor already built into cPanel, or a 3rd party script we could install which would do this?

    Anyone? Any help?

    With regard to scripting, the following will at least loop through the newest 200 exim log entries matching "courier_login", and sorting the results of the IPs that are found logging in:

    for i in `tail -200 /var/log/exim_mainlog | awk '/courier_login/' | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' | sort

    So obviously I need to work out a secondary loop to take these results and look for matches where the login user name is the same but the accessing IP is different. Here's where I am stuck. But of course, this approach is likely awkward at best, as I am no shell scripter by any means.

    Thanks much for any assistance, or direction finding with this very important topic of cutting email abuse.
  2. ruzbehraja

    ruzbehraja Well-Known Member

    May 19, 2011
    Likes Received:
    Trophy Points:
    cPanel Access Level:
    Root Administrator
    Have you explored CSF instead?

    It has some useful options like:
    • Block POP3 logins if greater than LT_POP3D times per hour per account per IP address (0=disabled)
    • Send an email alert if an account exceeds LT_POP3D/LT_IMAPD logins per hourper IP
    • Relay Tracking. This allows you to track email that is relayed through the
      # server. There are also options to send alerts and block external IP addresses
      # if the number of emails relayed per hour exceeds configured limits. The
      # blocks can be either permanent or temporary.
    • Connection Tracking. This option enables tracking of all connections from IP
      # addresses to the server. If the total number of connections is greater than
      # this value then the offending IP address is blocked. This can be used to help
      # prevent some types of DOS attack.
    • Process Tracking. This option enables tracking of user and nobody processes
      # and examines them for suspicious executables or open network ports. Its
      # purpose is to identify potential exploit processes that are running on the
      # server, even if they are obfuscated to appear as system services. If a
      # suspicious process is found an alert email is sent with relevant information.
      # It is then the responsibility of the recipient to investigate the process
      # further as the script takes no further action
  3. jols

    jols Well-Known Member

    Mar 13, 2004
    Likes Received:
    Trophy Points:
    Thanks, we are using CSF, but it does not have any facility for detecting multiple logins to the same email account from different IP addresses, as I described.

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice