Mabye a new way to help stop spammers on my own servers

[noimad1]

I don't get a whole lot anymore, but I still occassionally get that fradulent order that gets on my machine and starts to send spam out.

I use programs like Mail-Watch and such, but I tend to have a lot of server load issues with it, and sometimes it won't run correctly when the logs are too big.

So I had one more idea for helping catch spammers, but I'm not sure if it can be done or not.

I'm not much of a perl programmer, so i am looking for a little help.

I use the antivirus.exim file to filter out a lot of the "phishing" type e-mails. And I use a line like this:

if $message_body: contains "safelist"
then
logwrite "safelist from: $sender_address $tod_log $message_id processed"
seen finish
endif

So I write all of those to a log, which looks like this (of course i could change it so the e-mail is first if need be):

safelist from: [email protected] 2006-06-08 13:09:22 1FoOwc-0000hy-TI processed

what I would like to do is write a script that I can have run through a cron to go through that filter log and check to see if any of the "$sender_address" match any domains that are currently on my system, and if it it does, go ahead and send me an e-mail. That way it gives me one more layer of protection and I can go in and kill their account right away.

So I would imagine that it would involve pulling that data from the log file, going to one of the cpanel folders that has all of the domains listed (or maybe even the localdomains file) and seeing if it exists....

Would anyone be able to help me write that quick perl script. I am sure it is pretty easy, but just beyond me.

 

[noimad1]

is this not possible?

 

[brianoz]

I don't get the point of this?

The perl script is almost trivial.

 

[thehostinghut]

Go here:

http://www.webhostgear.com/338.html

I think it will do what you want it to do.

Thanks,

Tracy

 

[thehostinghut]

Sorry for my last post. It seems you are already doing something like it.

A moderator can remove my posts if need be.

Thanks,

Tracy

 

[noimad1]

I don't get the point of this?

The perl script is almost trivial.

The point is to be notified of spammers on your server as soon as possible so you can go in and kill their accounts or unsecure script.

Basically my antivirus.exim file logs all of the filtered mail based on those bad keywords like phishing e-mails and such. I want to look through that log and see if any logged e-mail messages have come FROM any account on my server. If they do, then I want to be notified by e-mail. That's what I need the script for.

I could then set the cron up to run the script every 5 minutes to scan through my filter.log file and send me the notifications.

I can then go into that users account and disable it. It would be one more line of defense other then Mail-Watch (which tends to not work sometimes) to catch spammers right away.

Not trying to be rude, but what doesn't make sense about that?

 

[brianoz]

Sorry, I hope I wasn't rude either, I hadn't intended that either.

I just didn't understand what the script was meant to do, plus I use some other techniques to limit spam that make our server very unattractive to spammers. One is that I limit emails per account to 200 per hour, so a spammer will hit that limit pretty quickly.

If you can expand on your description of what the script should do, if it's short enough I'll see what I can do.

 

[noimad1]

Sorry, I hope I wasn't rude either, I hadn't intended that either.

I just didn't understand what the script was meant to do, plus I use some other techniques to limit spam that make our server very unattractive to spammers. One is that I limit emails per account to 200 per hour, so a spammer will hit that limit pretty quickly.

If you can expand on your description of what the script should do, if it's short enough I'll see what I can do.

Thanks, I guess e-mail and forum postings can never be read properly due to the lack of "tone" that a normal conversation would have.

I appreciate your response.

I've thought of it programicaly, and I think Here is what I would like the script to do.

1. Go through my /etc/localdomains file and build up an array with each part of the array equal to each domain listed in that file.

2. Then the script would go to my filter.log file and loop through the array of domains and see if any domain in the array matches anything in the filter.log file. If it finds a matching entry, i need it to e-mail me and say something like "this domain [whateverdomain it is] was caught in your filter log. Please go and investigate".

The entries in the filter.log file look like this: It shows the e-mail address that was filtered, so it should be fairly easy to look through the file for a matching domain name from the localdomains file:

safelist from: [email protected] 2006-06-08 13:09:22 1FoOwc-0000hy-TI processed
safelist from: [email protected] 2006-06-08 13:09:22 1FoOwc-0000hy-TI processed
safelist from: [email protected] 2006-06-08 13:09:22 1FoOwc-0000hy-TI processed


That way I know that a website on my server was caught by my filter program. I can then go look at the filter log and see if it was an isolated incident or not.

And it would be best if it finds one and e-mails me that it automatically go to the next domain in the array so that I don't get 300 e-mails if he sent out 300 spams that got filtered.

Now that I think about it, it might make more sense programically to build the array from the /etc/localdomains and then loop through it and see if it matches anything in the filter.log.

I do have limits on the number of e-mails per hour set on the servers, but my one big problem with that is that I have customers with legitmate mailing lists that may be 10k-20k large and they get caught by those limits which can cause problems....So I can't set it that low.

If you are able to help that would be great.

Regards,
Damion

 

[brianoz]

OK ... I think that explanation actually penetrated the fog over here, the user of "safelist" had confused me, now I just need to get some time to look at it!!

With the cpanel per-hour email limits, something you should be aware of is that it works well to set a low limit (eg: 250 per hour) and just increase the limit for those domains that need an increase.

You can selectively increase the per-hour limit on a per-domain basis by using /var/cpanel/maxemails and putting a line in it for the domain in question - eg: domain.com=10000 to increase that domain to 10,000 emails per hour. That way you're protected from new domains spamming yet established bona-fide domains can send out higher amounts of email.

Here's the definitive link on how to use maxemails:
http://forums.cpanel.net/showpost.php?p=171701&postcount=11

Cheers,

Brian

 

[noimad1]

OK ... I think that explanation actually penetrated the fog over here, the user of "safelist" had confused me, now I just need to get some time to look at it!!

With the cpanel per-hour email limits, something you should be aware of is that it works well to set a low limit (eg: 250 per hour) and just increase the limit for those domains that need an increase.

You can selectively increase the per-hour limit on a per-domain basis by using /var/cpanel/maxemails and putting a line in it for the domain in question - eg: domain.com=10000 to increase that domain to 10,000 emails per hour. That way you're protected from new domains spamming yet established bona-fide domains can send out higher amounts of email.

Here's the definitive link on how to use maxemails:
http://forums.cpanel.net/showpost.php?p=171701&postcount=11

Cheers,

Brian

I really appreciate your help on this one.

Thanks for the info on the max-e-mails. I had no idea you could set it on a per-domain basis....Very helpful...

Thanks,
Damion