Plesk: How to count SMTP connections per email account.

Found an interesting solution for users of plesk/qmail for how to identify a user who is abusing your authenticated SMTP service.

Running the command:

cat /var/log/messages | grep -i smtp_auth | grep "logged in" | awk {' print $11 '} | awk -F / {' print $6"@"$5 '} | sort | uniq -c | sort -n | tail

or:

cat /var/log/syslog | grep -i smtp_auth | grep "logged in" | awk {' print $11 '} | awk -F / {' print $6"@"$5 '} | sort | uniq -c | sort -n | tail

Depending on your Linux Distro and you will get an output like the example bellow:

7 user@example.com 7 someone@spamewhere.net.au 8 stuff@onthenet.com.au 8919 user@crackeddomain.com.au

As you can see the account ‘user’ for the domain ‘crackeddomain.com.au’ are having unusually high amounts of SMTP connections for an account.

This is useful for tracking bulk email being sent through your system or hijacked accounts being used by spammers.

I found this on rackerhacker.com a site by Senior Rackspace Systems Engineer Major Hayden, go and check it out it is full of awesome content.

This entry was posted on June 25, 2009, 10:12 pm and is filed under Computer Stuff. You can follow any responses to this entry through RSS 2.0. You can leave a response, or trackback from your own site.

PureDistortion

Plesk: How to count SMTP connections per email account.

No comments yet.

Tags

What I'm up to:

Archive