[imp] tools for monitoring outbound spam
Andrew Morgan
morgan at orst.edu
Mon May 5 17:11:47 UTC 2008
On Mon, 5 May 2008, liamr at umich.edu wrote:
> Like many other institutions, we've got a problem with compromised
> accounts being used to send spam. I know that the new version of Horde
> / IMP will allow people to place limits on outbound mail... but there
> is some concern in our organization that those methods will create
> problems for some legitimate users.
>
> Anyhoo.. I was wondering if anyone has written tools to monitor their
> sendmail logs / webserver transfer logs for suspicious activity (or for
> noticing that their servers have been added to RBLs). Or if anyone is
> using tools that do these things, or would be interested discussing the
> development of tools or strategies
I have a really simple script I run against the postfix logs on our
Webmail servers:
#!/bin/sh
cat /var/log/hosts/webmail?/mail/* | perl -e 'while(<STDIN>) { if (/ nrcpt=(\d+) /) { $cnt = $1; if ($cnt > 99) { print } } }'
All that does is find anyone sending to 100 or more recipients at a time.
Andy
More information about the imp
mailing list