Thursday, November 29, 2012

How to find spammers in my maillog file?


This is the type of record I get when someone authenticates to send email.

Nov 29 09:45:28 ns1 sendmail[30199]: AUTH=server, relay=[1.2.3.4], authid=smithb, mech=PLAIN, bits=0

This command will parse the log file, sort, and count.

grep "authid" maillog | cut -d ":" -f 4 | sort -n | uniq -c

36772  AUTH=server, relay=[176.222.239.10], authid=smithb, mech=LOGIN, bits=0      1  AUTH=server, relay=[24.2.3.4], authid=usera, mech=PLAIN, bits=0      8  AUTH=server, relay=[64.201.195.49], authid=userb, mech=LOGIN, bits=0     94  AUTH=server, relay=[72.201.195.4], authid=userc, mech=LOGIN, bits=0

  The first user has connected to the outgoing server 37k times this week. Someone has hacked their password and is sending spam. I will save this command and find the culprit much faster next time.

I took some inspiration from this post.

http://www.oxxus.net/wiki/Mail_server_log_analyzing

No comments: