Question grep Emails via phpmailer / sendmail

[daanse]

Hi,

i noticed some brute Force attack against some Wordpress and the Outgoing Email Limit (Subscription) turned on at same time.

I want to ask if theres a similar command as following, to track down Emails (Email Header, or Sender/ Receipient) send via SENDMAIL or PHPMailer??

# grep '[email protected]' /usr/local/psa/var/log/maillog

Thank you for any help

 

[mr-wolf]

They all would come through localhost.
I'm monitoring these localhost mails in the log

In zabbix it would look like this

vfs.file.regcount[/usr/local/psa/var/log/maillog,": uid=[0-9]*"]

That's "grep 'uid=[0-9]*' /var/log/maillog".
But come to think of it... I haven't seen that message for a long time...
It has changed in Plesk Onyx
It doesn't work that way anymore as these are now sent by a user with an id in the 10000 range.

So I think this will be the expression in Plesk 17.5.3:
"egrep 'uid=10[0-9][0-9]' /var/log/maillog".

The "grep 'bellsouth.net' /var/log/maillog" is also an interesting one to detect spam.....
I have never seen a valid mail going to that domain and they almost always are spammed.

This is also an interesting command to execute...
zgrep uid=10[0-9][0-9] /etc/passwd /var/log/maillog* | grep -o 'from=.*' | sort | uniq -c | sort -n

It tells you which site is sending the most mail

 

[Bitpalast]

Many spams won't reach their destination and stay in your mail queue for some while. When you look into your mail queue and examine the mail headers it is often possible to identify the sending website.

 

[daanse]

Hi @Peter Debik, yes thank you.
But in this Case, the Mail Queue was empty.
The Emails which cound't be send, wherend in the queue :/
Creepy.