Greetings all
I was reading some earlier posts from Raj, Jim, & Eric with regards to
detecting WHO is abusing your server, so I thought I'd share some of my
thoughts & solutions:
Thought 1: I force all RELAY traffic to occur on port 587 (with or
without TLS)
- I do this using *spamdyke *-- using _different rules_ for port 25
and port 587. Under MY rules:
- port 25 DOES NOT ALLOW authentication, and thus will not RELAY at all
- port 587 REQUIRES authentication, and also supports TLS (SSL)
NOTE: You can do this in the RUN parts inside your submission folders
That is:
1) in the folder //etc/spamdyke/, copy your existing
*spamdyke.conf* to *submission.conf*
and to avoid confusion, I personally also make a copy
called *smtp.conf*
2) Edit the *submission.conf* file to say
/*smtp-auth-level=always*/ (actually, I set it to /*always-encrypted
*/== but that requires a valid SSL certificate, which goes beyond this note)
3) Edit the *smtp.conf *file to say /*smtp-auth-level=none*/
(this DISALLOWS smtp authentication, even if QMail is configured to
allow it!)
4) In the folder //var/qmail/supervise/smtp /edit the file
named *run
* Assuming you previously installed and configured
*spamdyke*, you'll have entries that look like:
/* SPAMDYKE=/usr/local/bin/spamdyke*//*
*//* SPAMDYKEFLAGS=' -f /etc/spamdyke/spamdyke.conf'
*/Change the SPAMDYKEFLAGS value to point to your new smtp.conf - in
other words, use the line:
/* SPAMDYKEFLAGS=' -f /etc/spamdyke/smtp.conf'
*/ 5) In the folder //var/qmail/supervise/submission /edit the
file named *run
* Again, assuming you previously installed and configured
*spamdyke*, you'll have entries that look like:
/* SPAMDYKE=/usr/local/bin/spamdyke*//*
*//* SPAMDYKEFLAGS=' -f /etc/spamdyke/spamdyke.conf'
*/Change the SPAMDYKEFLAGS value to point to your new submission.conf -
in other words, use the line:
/* SPAMDYKEFLAGS=' -f /etc/spamdyke/submission.conf'
*/ 6) NOTE: If you are using the smtp-ssl mod (that is, you're
also listening on port 465), you will need to repeat the above steps for
your 3rd SMTP listening daemon
/**/7) Restart your toaster with the command '_*qmailctl restart*_'
Now you have limited port 25 to NO AUTH, and you've set port 587 to
require AUTH (possibly with encryption), and you may have set port 465
to require auth (typically only with encryption)
Thought 2: I use the qmlog program (originally by Fabio Olaechea, but
translated to English & enhanced by our own Eric Shubert)
My search for the source on the Internet met with failure (it used
to be part of the qtp suite of add-ons), so I have a copy located at
/*http://www.it4soho.com/qmlog
*/If you download it from there, save it to /usr/bin or /usr/sbin
(either should work)
What's special about qmlog? It's a single program that can be used
to fetch QMail logs for any of the services, AND it automatically
converts the timestamp into Human-Readable form!
/*
*/Thought 3: One of the most common abuses of Qmail is the ability to
send AS ANYONE once you've been authenticated.
What I mean by that is:
- suppose you have 3 accounts on your QMT server ([email protected];
[email protected]; & [email protected])
- suppose you configure your mail client to connect to the
SUBMISSION port on your mail server with the auth credentials of
[email protected].
Once you're connected and authenticated, you can send mail as
[email protected], or [email protected], or [email protected], or even
[email protected]
- This is all well and good when Suzy in Sales sends mail from the
[email protected] account instead of her own
- This is a little problematic when Suzy in Sales sends mail from
[email protected], who happens to be a coworker she doesn't have
authorization to send mail for
- This is VERY problematic when Suzy in Sales sends mail from
[email protected] or any other outside domain
The server will ALLOW all of these -- so you need to periodically
CATCH them!
*
*So, assuming you have the qmlog program mentioned above, put it in your
path, then use the attached checkmailfraud.sh script.
NOTE: The script is DESIGNED to send you a TEXT MESSAGE when the
number of suspected fraudulent entries PER USER exceeds a threshhold.
YOU CANNOT USE THE SCRIPT WITHOUT EDITING IT and placing your own TO:
(SMS email interface) and FROM: (local email address) entries at the top.
The Threshhold value (also at the top) is adjustable, and SMS
messages should only go out if fraud has indeed been protected.
Finally, I have NOT YET coded the exclusion so that you only get one
text message per user that exceeds your thresshold.
Thought 4: The second most common abuse of QMAIL is that we do not
rate-limit senders .. at all.
You can use the attached script (built very similarly to the
checkmailfraud.sh) called checkmailabuse.sh to check for users who are
just plain sending too much mail!
Again, you will need to set your own variables at the top -- where you
send the SMS (or email) message; what address you're sending it from;
and at what threshhold will you send the alert.
I hope you find these scripts helpful - they are a central part of how I
administer so many servers with so many users!
Good Luck!
Dan McAllister
#!/bin/bash
NOTIFY=<insert your SMS email address here>
NOTIFYFROM=<insert the email address you're sending this notice FROM>
THRESHHOLD=500
#
# NOTE: Depending upon the version of qmlog you install, the binary may be
# located in /usr/bin or /usr/sbin. Therefore, we must start by
# locating the QMLOG program
if [ -x /usr/sbin/qmlog ] ; then
QMLOG=/usr/sbin/qmlog
elif [ -x /usr/bin/qmlog ] ; then
QMLOG=/usr/bin/qmlog
else
echo "$0 requires the program qmlog -- see qmailtoaster wiki to locate a copy"
exit 99
fi
# remove old temp files
rm -f /tmp/checkmailabuse*
# Get date in both needed formats (with and without dash)
TODAY=$(/bin/date '+%m%d')
if [ $? -eq 1 ] ; then TODAY="$1" ; fi
MON="`echo $TODAY | sed 's/..$//'`" # first 2 digits
DAY="`echo $TODAY | sed 's/^..//'`" # last 2 digits
# Here's the work -- get the submission logs (translating the dates)
# - grep for the actual date because qmlog does a poor job on this
# - look only for rcpt lines and look for who is logging in
# - sort the results so "uniq" can count them
# - re-sort now based on uniq counts
$QMLOG -d $TODAY submission |
grep "^$MON-$DAY.*CHKUSER relaying rcpt" |
sed 's/.*rcpt: from <//;s/>.*//' |
awk -F: '{ print $1 , $2, $3 }' |
while read SEND AUTH OTHER ; do
echo $AUTH
done |
sort |
uniq -c |
sort -n |
while read MCOUNT MSENDER ; do
if [ $# -eq 0 ] ; then
if [ "$MCOUNT" -gt "$THRESHHOLD" ] ; then
echo $MCOUNT $MSENDER
fi
else
echo $MCOUNT $MSENDER
fi
done > /tmp/checkmailabusers
#
# To send an alert
#
if [ "`cat /tmp/checkmailabusers | wc -l`" -gt "0" ] ; then
echo "To: $NOTIFY" > /tmp/checkmailabuse-alert
echo "From: $NOTIFYFROM">> /tmp/checkmailabuse-alert
echo "Subject: Abuse Alert on $(hostname)" >> /tmp/checkmailabuse-alert
echo " " >> /tmp/checkmailabuse-alert
if [ "$( cat /tmp/checkmailabusers | wc -l )" -lt 5 ] ; then
cat /tmp/checkmailabusers >> /tmp/checkmailabuse-alert
/var/qmail/bin/qmail-inject < /tmp/checkmailabuse-alert
else
echo "Too many abusers to show... please login to server ASAP!" >>
/tmp/checkmailabuse-alert
/var/qmail/bin/qmail-inject < /tmp/checkmailabuse-alert
fi
fi
#!/bin/bash
NOTIFY=<insert your SMS email address here>
NOTIFYFROM=<insert the email address you're sending this notice FROM>
THRESHHOLD=500
# NOTE: Depending upon the version of qmlog you install, the binary may be
# located in /usr/bin or /usr/sbin. Therefore, we must start by
# locating the QMLOG program
if [ -x /usr/sbin/qmlog ] ; then
QMLOG=/usr/sbin/qmlog
elif [ -x /usr/bin/qmlog ] ; then
QMLOG=/usr/bin/qmlog
else
echo "$0 requires the program qmlog -- see qmailtoaster wiki to locate a copy"
exit 99
fi
# Get date in both needed formats (with and without dash)
TODAY=$(/bin/date '+%m%d')
if [ $? -eq 1 ] ; then TODAY="$1" ; fi
MON="`echo $TODAY | sed 's/..$//'`" # first 2 digits
DAY="`echo $TODAY | sed 's/^..//'`" # last 2 digits
# remove old temp files
rm -f /tmp/checkmailfraud*
$QMLOG -d $TODAY submission |
grep "^$MON-$DAY.*CHKUSER relaying rcpt" |
sed 's/.*rcpt: from <//;s/>.*//' |
awk -F: '{ print $1 , $2, $3 }' |
while read SEND AUTH OTHER ; do
SENDDOMAIN="$(echo $SEND | awk -F@ '{ print $2 }')"
AUTHDOMAIN="$(echo $AUTH | awk -F@ '{ print $2 }')"
if [ ! -z $AUTHDOMAIN ] ; then
if [ "$SENDDOMAIN" != "$AUTHDOMAIN" ] ; then
echo $SEND $AUTH $OTHER
fi
fi
done |
sort |
uniq -c |
sort -n |
while read MCOUNT MSENDER MIMPOSTER ; do
if [ $# -eq 0 ] ; then
if [ "$MCOUNT" -gt "$THRESHHOLD" ] ; then
echo $MCOUNT $MSENDER $MIMPOSTER
fi
else
echo $MCOUNT $MSENDER $MIMPOSTER
fi
done > /tmp/checkmailfraudsters
#
# To send an alert
#
if [ "`cat /tmp/checkmailfraudsters | wc -l`" -gt "0" ] ; then
echo "To: $NOTIFY" > /tmp/checkmailfraud-alert
echo "From: Mail System <[email protected]>" >> /tmp/checkmailfraud-alert
echo "Subject: Fraud Alert on $(hostname)" >> /tmp/checkmailfraud-alert
echo " " >> /tmp/checkmailfraud-alert
if [ "$( cat /tmp/checkmailfraudsters | wc -l )" -lt 5 ] ; then
cat /tmp/checkmailfraudsters >> /tmp/checkmailfraud-alert
/var/qmail/bin/qmail-inject < /tmp/checkmailfraud-alert
else
echo "Too many fraudsters to show... please login to server ASAP!" >>
/tmp/checkmailfraud-alert
/var/qmail/bin/qmail-inject < /tmp/checkmailfraud-alert
fi
fi
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
