General command line question and MAPS question.

[Tormente]

Is there a way, from the command line, to grep the Log Watch Emails (or multiple files) and output a list of top SMTP connections, grouped by network range? (combine the number of connections from individual IPs in the range of "###.###.###.")

Also, does anyone know of a MAPS server that will block network ranges, or groups of IPs of high abuse spammers? Or any way to automatically do that (iptable)?

Thanks.

 

[carliebentley]

I've been blocking IP ranges using the firewall module.

Since you're running 8, if you make any changes to the firewall rules and attempt to block connections from IP addresses you'll probably have to apply the changes and then go out and start mail again through the services panel.

I'm not sure why but every time I add an IP range and then apply the configuration in the firewall module, I have to go start mail services again.

 

[jamesyeeoc]

cat /var/log/secure*|grep smtp|awk -F: '{print $5}'|sed 's/^.*from=//; s/\.[0-9]\{1,3\}$//;'|sort|uniq -c|sed 's/^ *//;'|sort -gnr|more

You will have to change the path/filename to whatever you want, but it will printout a list such as:

4594    208.177.40
4549    209.190.8
4322    209.190.15
3910    209.190.9
3873    216.242.123
2393    208.177.41
1974    204.13.7

Then just a little scripting to put it into your firewall of choice...

Use caution and common sense, you wouldn't want to block a valid hosted user who happens to be email happy...