Found an interesting solution for users of plesk/qmail for how to identify a user who is abusing your authenticated SMTP service.

Running the command:

cat /var/log/messages | grep -i smtp_auth | grep "logged in" | awk {' print $11 '} | awk -F / {' print $6"@"$5 '} | sort | uniq -c | sort -n | tail

or:

cat /var/log/syslog | grep -i smtp_auth | grep "logged in" | awk {' print $11 '} | awk -F / {' print $6"@"$5 '} | sort | uniq -c | sort -n | tail

Depending on your Linux Distro and you will get an output like the example bellow:

7 user@example.com
7 someone@spamewhere.net.au
8 stuff@onthenet.com.au
8919 user@crackeddomain.com.au

As you can see the account ‘user’ for the domain ‘crackeddomain.com.au’ are having unusually high amounts of SMTP connections for an account.

This is useful for tracking bulk email being sent through your system or hijacked accounts being used by spammers.

I found this on rackerhacker.com a site by Senior Rackspace Systems Engineer Major Hayden, go and check it out it is full of awesome content.

• Bookmark on Delicious
• Digg this post
• Recommend on Facebook
• share via Reddit
• Share with Stumblers
• Tweet about it
• Subscribe to the comments on this post
• Tell a friend

Tags: bash, email, linux, monitoring, plesk, scripting, smtp