Hi,
Wrote a shell script (attached) that gets run via cron once a day
to analyze the previous day's syslog for excessive pop connections.
The script counts the connections and if greater than TOO_MANY_HITS,
sends them email. The abusers get two warning messages, one nice,
one not so nice (also attached). The script also keeps track of
excess usage over a month in a directory.
If the person does not reduce their usage after two warnings, they
go into /etc/pop.nonauth (the not-authorized-to-use-pop file) until
they cooperate.
-----------------------------------
Jeff A. Earickson, Ph.D
Senior UNIX Sysadmin and Email Guru
Information Technology Services
Colby College, 4214 Mayflower Hill,
Waterville ME, 04901-8842
phone: 207-872-3659 (fax = 3076)
-----------------------------------
On Thu, 31 Oct 2002, Simon May wrote:
> Date: Thu, 31 Oct 2002 09:35:04 +0100
> From: Simon May <[EMAIL PROTECTED]>
> To: Subscribers of Qpopper <[EMAIL PROTECTED]>
> Subject: Users popping to often
>
> Dear All
> I have a number of users you are checking for mail very frequently, every
> 30s etc.
> besides asking them not to is there any way other way to stop them.
>
> I feel that every 5 minutes is more than enough.
> This constant check really produces a lot of unnecessary traffic.
>
> This has only became a problem since ADSL (DSL) has became available in
> Spain.
>
> Have other people experienced this situation.
>
> Kind Regards
> Simon May
> Email [EMAIL PROTECTED]
>
#!/usr/bin/ksh
#
#---script to determine high-frequency pop users from
#---the mail-hubs system log file
#
#--- set DEBUG to 1 to use "set -x" in all routines
DEBUG=0
if [ $DEBUG -eq 1 ]; then
set -x
fi
CAT=/usr/bin/cat
CUT=/usr/bin/cut
GREP=/usr/local/bin/grep
SED=/usr/local/bin/sed
SORT=/usr/local/bin/sort
UNIQ=/usr/bin/uniq
ZCAT=/usr/local/bin/zcat
TABIFY='/usr/bin/tr -s "\040" "\011"'
COLON='/usr/bin/tr -s "\040" ":"'
UNTABIFY='/usr/bin/tr -s "\011" "\040"'
SYSADMINS="[EMAIL PROTECTED]"
#---the number of too-soon connections that triggers e-mail to user
#---300 is computed as: every 5 minutes, 24 hrs/day = 288, rounded up
TOO_MANY_HITS=300
#---where pop usage is stored and today's abuser file
POP_USAGE=/usr/local/adm/pop.usage
ABUSERS=$POP_USAGE/abusers.`date +'%d'`
MAIL=/usr/bin/mailx
SendMail()
{
#---local variables
typeset nhits
typeset nshort
typeset repeat
# if [ $DEBUG -eq 1 ]; then
# print "*** Entering SendMail() ***"
# set -x
# fi
#---if abusers file larger than zero bytes
if [ -s $ABUSERS ]; then
#---mail sysadmin the list
$MAIL -s 'Yesterdays POP Abusers' $SYSADMINS < $ABUSERS
for line in `$CAT $ABUSERS`
do
bozo=`print $line | $CUT -f1 -d:`
nhits=`print $line | $CUT -f2 -d:`
#---is the bozo a repeat offender?
repeat=`$GREP $bozo $POP_USAGE/abusers.* | /usr/bin/wc -l`
#---first letter
if [ $repeat -eq 1 ]; then
/usr/bin/sed -e "s/NHITS/$nhits/" $POP_USAGE/first.msg
> /tmp/xxx.$$
if [ $DEBUG -eq 0 ]; then
$MAIL -s "*** Excessive Eudora Connections
***" $[EMAIL PROTECTED] < /tmp/xxx.$$
$MAIL -s "*** POP First Warning ($bozo) ***"
$SYSADMINS < /dev/null > /dev/null
else
print "DEBUG: sending first warning to $bozo"
fi
/usr/bin/rm /tmp/xxx.$$
#---second letter
elif [ $repeat -eq 2 ]; then
/usr/bin/sed -e "s/NHITS/$nhits/"
$POP_USAGE/second.msg > /tmp/xxx.$$
if [ $DEBUG -eq 0 ]; then
$MAIL -s "*** Excessive Eudora Connections
(Final Warning) ***" $[EMAIL PROTECTED] < /tmp/xxx.$$
$MAIL -s "*** POP Second Warning ($bozo) ***"
$SYSADMINS < /dev/null > /dev/null
else
print "DEBUG: sending second warning to $bozo"
fi
/usr/bin/rm /tmp/xxx.$$
#---shut the bozo down
elif [ $repeat -ge 3 ]; then
$MAIL -s "*** Repeat POP Abuser ($bozo) ***"
$SYSADMINS < /dev/null > /dev/null
fi
done
fi
}
#-------------------------------------------------------------------------------
#---main shell script
#-------------------------------------------------------------------------------
#---this script takes one arg: the name of the syslog file
if [ $# -ne 1 ]; then
print "Usage is: $0 syslog-file"
exit 1
fi
#---filter out the pop authentications from the syslog file
$ZCAT $1 | $GREP "POP login" | $TABIFY | $CUT -f3,14 | /usr/bin/tr -d \" >
/tmp/pop.stuff.$$
/usr/bin/rm -f $ABUSERS
/usr/bin/touch $ABUSERS
/usr/bin/chmod 644 $ABUSERS
#---get the users sorted in order of number of hits
$CUT -f2 /tmp/pop.stuff.$$ | $SORT | $UNIQ -c | $SORT -nr -k1 | $SED -e 's/^/ /' |
$COLON > /tmp/pop.users.$$
#---for every unique user that connected to pop
for line in `$CAT /tmp/pop.users.$$`
do
#---isolate user's pop authentications and count number of hits
nmsgs=`echo $line | $CUT -f2 -d:`
popuser=`echo $line | $CUT -f3 -d:`
#---if number of hits less than TOO_MANY_HITS, we are done
if [ $nmsgs -lt $TOO_MANY_HITS ]; then
break
fi
#---otherwise put the user in honor roll of abusers
print "$popuser:$nmsgs" >> $ABUSERS
done
#---now send the list of abusers e-mail
SendMail
/usr/bin/rm /tmp/pop.stuff.$$ /tmp/pop.users.$$
Hi,
You connected to the Colby mail-hub via POP (using Eudora, Outlook,
or another desktop POP client) NHITS times yesterday. This means that:
* your Eudora automatic mail-check parameter is set to an
unreasonably small value (eg, 1 minute intervals), or
* you are running multiple automated processes that make POP
connections to the mail server. The most common secondary
process is AOL's Instant Messanger. Turn off the "check mail"
feature in AIM. Prevent multiple mail agents from running;
this will likely cause you problems anyway.
* you manually check your e-mail excessively often. Be patient!
* you leave your desktop machine running all night long.
Save kilowatts and shut down your machine before you go to bed.
ITS considers excessive e-mail queries to be an unwise use of Colby's
computing resources. These queries generate needless network traffic and
put undue load on our already busy central mail server.
Please reset your automatic mail-checking parameter in your POP client
(Eudora, Microsoft Outlook, or whatever you use) to something in the range
of 10-30 minutes. If you have questions about how to reset your POP
client mail-check parameter, call the Colby Hotline at x3666.
--- Thank You,
The Folks at Information Technology Services
Hi,
Yesterday was the second time in the last 30 days that you had excessive
connections to the Colby mail-hub via a POP-based connection. You had NHITS
connections yesterday. ITS considers excessive e-mail queries to be an unwise
use of Colby's computing resources. These queries generate needless network
traffic and put undue load on our already busy central mail server.
Please reset your automatic mail-checking parameter in your email client,
to something in the range of 10-30 minutes. If you have questions about how
to reset your Eudora (or other POP client) settings, call the Colby
Hotline at x3666.
Heed this request! ITS can and WILL disable your POP email access if
you fail to act.
--- Thank You,
The Folks at Information Technology Services
