M
madcat
Guest
Hello. I am trying to stop outgoing spam from coming from our servers. I believe our spam is due to the fact that users choose stupid passwords, and spammers use brute force scripts to guess these passwords, and then use other scripts to connect to the webmail program to send spam. I have searched this forum and found that I am definitely not the only one suffering from this problem.
What I would like to do, as a solution, is setup a log file that records _ALL_ outgoing email coming from the server, regardless of what method is used to send the mail. Right now, I have replaced /usr/bin/sendmail with a script that writes to a log file all the info about the message (including the value of $CWD), which tells me what directory /usr/bin/sendmail was called from, which tells me who on my server actually sent the spam (or who's account was compromised to send the spam). The problem is that many of the programs that send mail do so by directly connecting to port 25 on my server, bypassing the sendmail binary.
I have also tried searching through the log file located at /usr/local/psa/var/log/maillog . The problem with that one is that it records the address the spammer provides as the "from" address, which is almost always fake. Even if it is a real address, it doesn't tell me which account _ON_MY_SERVER_ is responsible for sending the message.
What I would love to have is a plain text log file, with three columns, with this format:
[Date-Stamp] [Sending Account] [Subject-Line]
Where [Sending Account] is the FQDN mailname used to log into webmail, or authenticate to SMTP. In the case where a PHP or Perl script is being used to send spam, the [Sending Account] would instead be the domain name. I would then read this log file once per day, and would be able to tell how the spam is coming out of my server.
For most cases, reading the [Subject-Line] would tell me whether or not the message is spam. I could even sort the message by [Sending Account] and simply count the number of messages sent. A large number of messages indicates a possible compromised account (or a blatant spammer singing up). Is there even any way to determine how many messages a given domain has sent via the Plesk interface? I haven't found one, so far.
Thanks.
What I would like to do, as a solution, is setup a log file that records _ALL_ outgoing email coming from the server, regardless of what method is used to send the mail. Right now, I have replaced /usr/bin/sendmail with a script that writes to a log file all the info about the message (including the value of $CWD), which tells me what directory /usr/bin/sendmail was called from, which tells me who on my server actually sent the spam (or who's account was compromised to send the spam). The problem is that many of the programs that send mail do so by directly connecting to port 25 on my server, bypassing the sendmail binary.
I have also tried searching through the log file located at /usr/local/psa/var/log/maillog . The problem with that one is that it records the address the spammer provides as the "from" address, which is almost always fake. Even if it is a real address, it doesn't tell me which account _ON_MY_SERVER_ is responsible for sending the message.
What I would love to have is a plain text log file, with three columns, with this format:
[Date-Stamp] [Sending Account] [Subject-Line]
Where [Sending Account] is the FQDN mailname used to log into webmail, or authenticate to SMTP. In the case where a PHP or Perl script is being used to send spam, the [Sending Account] would instead be the domain name. I would then read this log file once per day, and would be able to tell how the spam is coming out of my server.
For most cases, reading the [Subject-Line] would tell me whether or not the message is spam. I could even sort the message by [Sending Account] and simply count the number of messages sent. A large number of messages indicates a possible compromised account (or a blatant spammer singing up). Is there even any way to determine how many messages a given domain has sent via the Plesk interface? I haven't found one, so far.
Thanks.