Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

How to identify a possible Spam situation

Posted on 2006-05-29
11
Medium Priority
?
262 Views
Last Modified: 2010-04-20
Hi:

I have experienced a problem with my server, and I don't know which tools and/or procedures I should use to really inspect and find out what is going on.

The server is a P-4, 2 MB RAM, SCSI disk, running Linux Cento's, Sendmail, Spam Assassin, and Mail Scanner (this, only during the night shift). So, it is a good environment. This is a server dedicated only to e-mail POP and SMTP, it has no production Domains / Sites.

Frequently I realized that its Cpu Average Time is quite high, sometimes above 30.x, 40.x. 50.x. We had even times over 100.x. Normally when it happens, I close Spam Assassin, and if necessary I also Close Sendmail. When times come to lower 10.x I start them again.

I suspect that my Server is being used by Spammers to send mass emails. It is not open relayed, but may be some of my customers, or someone who by any way got a valid user/password is doing this.

Well, all I would like to know is how to identify this (if possible, of course), how to be sure and see clearly that someone is spamming on my Server, and how to avoid this. Is there any sequence of commands or Scripts, that could show me this?

Thanks for any help.

Mario./
0
Comment
Question by:multisites
11 Comments
 
LVL 24

Expert Comment

by:fridom
ID: 16783718
Check the logs, that's the first thing you can and should do.

Regards
Friedrich
0
 

Author Comment

by:multisites
ID: 16783764
Thanks, but look, I am not experienced with Operating Systems. I have looked at /var/log/maillog, /var/log/messages, but I am not skilty enough to understand what I am looking at. So, I need something like a tutorial, a "cook recipe", a procedure to follow to identify clearly what is happening with the Server at that given moment.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 16783923
If you're sure that it is not an open relay, all mails are sent by the server (in particular by one of your authorized users).

But the load (I guess you mean that by 30.x, 40.x, etc.) must not be caused by sending mails. So you first have to identify what is causing that load. Use top for that.
If spamassassin is causing the load, then I guess that incoming mail is the reason. Or do you use spamassasin too for outgoing mails?
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:multisites
ID: 16784061
Hi, ahoffmann, whenever this situation occurs, and I give top command, I see tons of sendmail and spamd instances running.

Today, for instance, around 08:00 am, the server went to 182.xx of Cpu Load Average. Then, I firstly closed spamassassin, it came to around 80.xx, but only after I also stopped Sendmail it normalized.

That's why I guess the Server could be being used for spamming. But I need to know how to read the info and understand / identify quickly what is going on, and if possible, identify any IP or Domain from which most of these load are coming. By this way I could block them or something, I don't know.

I have to use spamassassin for outgoing too, in order to minimize the possibility of being blocked by blacklists services elsewhere.

Thanks.

Mario./
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 16784218
then check /var/log/maillog it contains at least on entry for each incomming and outging mail, depending on your sendmail configuration it also tells you what sendmail does which each incomming and outgoing mail.
Even the logfile logs chaotic at first glance it's simple to read and understand, 'cause all entries there which have thge same message-ID belong to the same incoming or outgoing mail, so you can trace the mail by it's message id.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 16784229
as you say that sendmail also causes a huge load, I guess that it waits for spamassassin and/or has a huge mail queue, check with:
   mailq
or
  sendmail -bp
0
 
LVL 48

Expert Comment

by:Tintin
ID: 16786147
You can configure sendmail to reject mail once the load average gets above a certain point.  That will help your performance problems while trying to track why the mail load is so high.
0
 

Author Comment

by:multisites
ID: 16788928
ahoffmann, do you know any program which could read "maillog" and print an analysis or a report of their contents, so that a non-skilty user could understand better what is going on?

If not, by your experience do you think it would be feasible and useful to develop a Script that could work in two ways:

a) If it was called without parameters it would read the maillog and print a report "translating" or "interpreting" the information content.

b) This program could also ask for parameters, like a username, or a date, or a message-Id, or an email address, or a combination of these, look for those records, and printing the report on them.

What do you think?
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 16789007
hmm, I don't know of a particular program/script for that, even I'm sure that they exist
If you search the web, you'll find dozents of them, it's just a matter what such a program should exactly do (means how should it filter your log), that's the criteria for you to selct the right one.

Also this "criteria" seems to be the problem (not only yours:), 'cause you usally don't know what you're looking for. You're looking for anomalies in your log to identify a problem somewher else, that's done with sophisticated programs using a configurable heuristic approach, etc. etc. ...
I guess you're better going to get used to some simple text programs like grep, awk, sed and perl. That's also the answr to your a) and b).
With grep you can extract messages according "username, or a date, or a message-Id, or an email address", it even can be done with  "a combination of these". grep by default prints the result (exactly what you asked for inb)).
With awk you can simply reformat your output and/or reduce the output to a more (human) readable form.

Keep in mind that maillog is a simple format: each message in a single line where the first fields are date, host, program etc.
0
 

Author Comment

by:multisites
ID: 16841066
Hi, ahoffmann, just to close this question, two technical doubts:

. How to code a grep to combine two or three patterns to be matched? For instance, if I need to grep maillog looking to match "sendmail" and a given date, "May 24" and any given user, "multisites" ?

. How to code that "awk" command you mentioned as to reduce a log output to be more easily understood?

Thanks.
0
 
LVL 51

Accepted Solution

by:
ahoffmann earned 500 total points
ID: 16841177
> How to code a grep to combine two or three patterns to be matched?
noz possible with traditional grep, just Gnu's grep which has -e option, otherwise use egrep (without -e)

   grep '(this|that) pattern' file

> How to code that "awk" command you mentioned as to reduce a log output ...
assuming you have lines as follows in your logfile:

06 Jun 06 14:42:42: hostname: [a process]: this is the message you whant to have blah, blah, blah ...

then use gawk (which is default awk on Linux) as follows:

  awk '{$1=$2=$3=$4=$5=$6="";print }' file

which would result in:

      this is the message you whant to have blah, blah, blah ...
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
I have written articles previously comparing SARDU and YUMI.  I also included a couple of lines about Easy2boot (easy2boot.com).  I have now been using, and enjoying easy2boot as my sole multiboot utility for some years and realize that it deserves …
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
Suggested Courses
Course of the Month21 days, 1 hour left to enroll

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question