Chapter two:
Here's the script that outputs the PTR and sender for the past "jot" days,
for the recipient who complains
#!/bin/sh
RECIP="[EMAIL PROTECTED]"
rm /var/tmp/complain_mta_sender.txt
touch /var/tmp/complain_mta_sender.txt
for day in `jot 14` ; do
zegrep -i "smtp\[.*to=<$RECIP" /var/log/maillog.$day.gz |\
awk '{ print $6 }' | tr -d ':' > /var/tmp/msg_id.txt
for id in `cat /var/tmp/msg_id.txt` ; do
MTA=`zegrep -i "smtpd\[.*$id" /var/log/maillog.$day.gz |\
awk '{ print $7 }' | sed s/'client='/""/g | tr -d ':'`
SENDER=`zegrep -i "qmgr\[.*$id" /var/log/maillog.$day.gz |\
awk '{ print $7 }' | sed s/'from='/""/g | tr -d '<>,'`
echo "$MTA $SENDER" >> /var/tmp/recip_mta_sender.txt
done
done
exit 0
For this particular complainant, `jot 15` gave this recip_mta_sender.txt
file, which is mixture of legit senders + alleged spammers:
mx4# tail -f -n 60 /var/tmp/adimalibu_mta_sender.txt
imo-d06.mx.aol.com[205.188.157.38] [EMAIL PROTECTED]
mail.anet.net[216.2.102.8] [EMAIL PROTECTED]
mail.anet.net[216.2.102.8] [EMAIL PROTECTED]
distmgr2.wireimage.com[64.14.51.251] [EMAIL PROTECTED]
imo-m09.mx.aol.com[64.12.136.164] [EMAIL PROTECTED]
imo-m05.mx.aol.com[64.12.136.8] [EMAIL PROTECTED]
web21008.mail.yahoo.com[216.136.227.62] [EMAIL PROTECTED]
mail.anet.net[216.2.102.8]
mail.anet.net[216.2.102.8] [EMAIL PROTECTED]
mail.vrpe.com[65.160.68.4] [EMAIL PROTECTED]
mail.anet.net[216.2.102.8] [EMAIL PROTECTED]
mailhost.sonnenschein.com[65.217.148.27] [EMAIL PROTECTED]
imo-d02.mx.aol.com[205.188.157.34] [EMAIL PROTECTED]
nbrmr1002.accenture.com[170.252.248.71] [EMAIL PROTECTED]
mail.anet.net[216.2.102.8] [EMAIL PROTECTED]
lsanca1-ar4-249-170.biz.dsl.gtei.net[4.33.249.170] [EMAIL PROTECTED]
mail.anet.net[216.2.102.8] [EMAIL PROTECTED]
lsanca1-ar4-249-170.biz.dsl.gtei.net[4.33.249.170] [EMAIL PROTECTED]
lsanca1-ar4-249-170.biz.dsl.gtei.net[4.33.249.170] [EMAIL PROTECTED]
mail.anet.net[216.2.102.8] [EMAIL PROTECTED]
lsanca1-ar4-249-170.biz.dsl.gtei.net[4.33.249.170] [EMAIL PROTECTED]
mail8.travelocity.com[151.193.165.236]
[EMAIL PROTECTED]
mailhost.sonnenschein.com[65.217.148.27] [EMAIL PROTECTED]
dmzmail.winterparktech.com[65.160.216.77] [EMAIL PROTECTED]
mailhost.sonnenschein.com[65.217.148.27] [EMAIL PROTECTED]
mail.anet.net[216.2.102.8] [EMAIL PROTECTED]
nbrmr1001.accenture.com[170.252.248.70] [EMAIL PROTECTED]
eonsthfw01.eoncompany.com[212.209.217.134] [EMAIL PROTECTED]
mail.anet.net[216.2.102.8] [EMAIL PROTECTED]
mail.anet.net[216.2.102.8] [EMAIL PROTECTED]
mail.anet.net[216.2.102.8] [EMAIL PROTECTED]
distmgr2.wireimage.com[64.14.51.251] [EMAIL PROTECTED]
f55.law12.hotmail.com[64.4.19.55] [EMAIL PROTECTED]
web21010.mail.yahoo.com[216.136.227.64] [EMAIL PROTECTED]
mail.anet.net[216.2.102.8] [EMAIL PROTECTED]
pw2.photoworks.com[63.236.113.66] [EMAIL PROTECTED]
mailhost.sonnenschein.com[65.217.148.27] [EMAIL PROTECTED]
mail.anet.net[216.2.102.8] [EMAIL PROTECTED]
mail.anet.net[216.2.102.8] [EMAIL PROTECTED]
mail.anet.net[216.2.102.8] [EMAIL PROTECTED]
mail.anet.net[216.2.102.8] [EMAIL PROTECTED]
mail.anet.net[216.2.102.8] [EMAIL PROTECTED]
mail.anet.net[216.2.102.8] [EMAIL PROTECTED]
lamail2.abramsart.com[67.89.202.14] [EMAIL PROTECTED]
mail.anet.net[216.2.102.8] [EMAIL PROTECTED]
mail.anet.net[216.2.102.8] [EMAIL PROTECTED]
12-107-29-10.sapient.com[12.107.29.10] [EMAIL PROTECTED]
12-107-29-10.sapient.com[12.107.29.10] [EMAIL PROTECTED]
12-107-29-10.sapient.com[12.107.29.10] [EMAIL PROTECTED]
mm-outgoing-103.amazon.com[207.171.188.103]
[EMAIL PROTECTED]
mail.anet.net[216.2.102.8] [EMAIL PROTECTED]
mail.anet.net[216.2.102.8] [EMAIL PROTECTED]
mail.anet.net[216.2.102.8] [EMAIL PROTECTED]
mail.anet.net[216.2.102.8] [EMAIL PROTECTED]
mail.anet.net[216.2.102.8] [EMAIL PROTECTED]
mail.anet.net[216.2.102.8] [EMAIL PROTECTED]
mail.anet.net[216.2.102.8] [EMAIL PROTECTED]
mail.anet.net[216.2.102.8] [EMAIL PROTECTED]
mail.anet.net[216.2.102.8] [EMAIL PROTECTED]
mail.anet.net[216.2.102.8] [EMAIL PROTECTED]
AH HA! the "sore thumb" is "mail.anet.net[216.2.102.8]" with tons of forged
senders, so WTF is going on?
well, that ip had been automatically blacklisted by my advanced scripts
into mta_clients_bogus as an ip that was a source of big volumes of forged
senders (ie, my script worked).
BUT, my IMGate client whitelisted it in mta_clients_white due to valid
mail also being blocked, and he so opened the floodgates.
Solution? I removed that ip from both the white and black lists, and SAV
will kill the forging.
Lesson:
1) run SAV, and then
2) go back to your whitelisted ip's and comment out as many as you can, esp
when they were for "BIG ISP", eg earthlink, or "network operator", like
comcast, rr, adelphia. SAV will let legit senders through, and will block
forged senders.
Len
