Spammer Alert
Posted: 14 Jul 2015 02:16
I have written a script that will be executed under cron.hourly.
It checks the spam from the last hour against a database of domains that are handled by your email server. It then sends you an email if someone from that domain is spamming. There is a lot of room for this to grow. But this is the simplest version i could make. There is a table under the mailscanner database called Domains. It has a column called domain that contains the list of your email server's domains.
You must have mailutils installed.
Below is the bash script.
#!/bin/bash
username=root
password=`grep MYSQLROOTPWD /etc/EFA-Config | sed 's/.*://'`
database=mailscanner
sendto=admin@mail.mail
mysql -u $username -p$password -D $database -e \
"SELECT from_address,COUNT(*) FROM maillog \
WHERE isspam=1 AND DATE_SUB(NOW(),INTERVAL 1 HOUR) <= timestamp \
AND from_domain IN (SELECT domain from Domains where 1) \
GROUP BY from_address ORDER BY COUNT(*) DESC LIMIT 50 \
INTO OUTFILE '/tmp/senders' FIELDS TERMINATED BY ',' \
ENCLOSED BY '\"' LINES TERMINATED BY '\n';"
while read sender; do
if [ $sender != "" ]
then
user=`echo $sender | sed 's/\,.*$//g'`
offenses=`echo $sender | sed 's/.*\,//g'`
echo User: $user has recently been sending spam. $offenses messages have been reported as spam. | mail -s "Possible Account Hack" $sendto
fi
done < /tmp/senders
rm /tmp/senders
It checks the spam from the last hour against a database of domains that are handled by your email server. It then sends you an email if someone from that domain is spamming. There is a lot of room for this to grow. But this is the simplest version i could make. There is a table under the mailscanner database called Domains. It has a column called domain that contains the list of your email server's domains.
You must have mailutils installed.
Below is the bash script.
#!/bin/bash
username=root
password=`grep MYSQLROOTPWD /etc/EFA-Config | sed 's/.*://'`
database=mailscanner
sendto=admin@mail.mail
mysql -u $username -p$password -D $database -e \
"SELECT from_address,COUNT(*) FROM maillog \
WHERE isspam=1 AND DATE_SUB(NOW(),INTERVAL 1 HOUR) <= timestamp \
AND from_domain IN (SELECT domain from Domains where 1) \
GROUP BY from_address ORDER BY COUNT(*) DESC LIMIT 50 \
INTO OUTFILE '/tmp/senders' FIELDS TERMINATED BY ',' \
ENCLOSED BY '\"' LINES TERMINATED BY '\n';"
while read sender; do
if [ $sender != "" ]
then
user=`echo $sender | sed 's/\,.*$//g'`
offenses=`echo $sender | sed 's/.*\,//g'`
echo User: $user has recently been sending spam. $offenses messages have been reported as spam. | mail -s "Possible Account Hack" $sendto
fi
done < /tmp/senders
rm /tmp/senders