Recently I have been getting quite a few spam problems where the spammers were using valid smtp auth accounts on my server. They have either dictionary attacked the account or the password has leaked.
After quite a bit of hacking about I have come up with this single command (long one) which will list any smtp_auth login that has been authorised from more than 10 different IP addresses. My logs rotate every 24 hours so I didn’t need to filter by date.
THIS WORKS ON: Centos 6.5 with Plesk 10.x installed using qmail. Your usage may vary.
cat /usr/local/psa/var/log/maillog | grep "smtp_auth" | awk '/logged in from/ {print $8"\t"$14}' | sort -u -k1 | awk '{ print $1 }' | sort | uniq -c | sed -e 's/^[ \t]*//' | awk '$1 >= 10'
Before anyone comments that I have unnecessary cats and there are better ways to do this. I want it done in clear easy to understand stages so that when I come back to it later it is still readable. Don’t use it if you don’t like it…
First section cats the maillog and filters for lines with smtp_auth in. This gets us both fails and successes.
We then use awk to filter for sucessful logins (logged in from) and extract the username and IP.
We then sort by column 1 and filter for uniqueness.
I then use awk to extract just the usernames with each login from each IP represented once.
I then sort and filter by unique usernames adding a count to the front.
Sed to get rid of leading white spaces
Awk to only list those usernames that have more than 10 IP addresses.
I will probably come back and explain this better at a later date and clean it up. but need to get back to cleaning up.
Leave a Reply