Additions will be made as time goes by :)
#############
###Postfix###
#############
#Printing out the mailq to see who the fuckers are. Here are the 3 options you could possibly use:
#Option 1:
mailq | awk '$4 ~ /REPLACEWITHMONTH/ {print $7}' | awk '{a[$0]++}END{for(x in a){t=a[x]>1?"Mails":"Mails";print x " - "a[x],t}}' | awk '{print $3,$4,$2,$1}' | sort -n
#Option 2:
mailq|grep ^[A-F0-9]|cut -c 42-80|sort |uniq -c|sort -n
#Option 3:
mailq|grep ^[A-F0-9]|cut -c 42-80| sed 's/.*@//g'|sort |uniq -c|sort -n
### Printing out the mailq to see where mail is going and who is being attacked. Here are the two options you could possibly use:
#Option 1:
mailq | awk '$1 ~ /\@/ {print $1}' | sed -e 's/.*@//' | awk '{a[$0]++}END{for(x in a){t=a[x]>1?"Mails":"Mails";print x " - "a[x],t}}' | awk '{print $3,$4,$2,$1}' | sort -n
#Option 2:
mailq | awk '$1 ~ /@/ {print}' | sed -e 's/.*@//' | uniq -c | sort -n
### Searching the Queues
#Mass read and Regex to find spam within all queues at this moment. Still impromptu.
mailq | grep ^[A-F0-9]| cut -c 1-10 | xargs postcat -q | egrep -i --color 'SPAM|REGEX|FOO|BAR'### Subject searches
###
###
#Finding whats in the subject of deferred mail
for i in `find /var/spool/postfix/deferred/ -type f`;do echo -n "$i ";postcat $i|egrep "^Subject";done
#Finding whats in the subject of mail in the hold queue
for i in `find /var/spool/postfix/hold/ -type f`;do echo -n "$i ";postcat $i|egrep "^Subject";done
#Finding whats in the subject of mail in the bounce queue
for i in `find /var/spool/postfix/bounce/ -type f`;do echo -n "$i ";postcat $i|egrep "^Subject";done
#Finding whats in the subject of mail in the corrupt queue
for i in `find /var/spool/postfix/corrupt/ -type f`;do echo -n "$i ";postcat $i|egrep "^Subject";done
# Arranging subject matters to see what is on the top list of spam:
for i in `find /var/spool/postfix/deferred/ -type f`;do echo -n "$i ";postcat $i|egrep "^Subject";done| awk '{$1=""; print $0}' | sort | uniq -c | sort -n
###
###
### Subject searches
#Finding which server host has connected to the mailserver and how many connections have been made
awk '$6 ~ /connect/ {print $8}' /var/log/mail.log | uniq -c | sort -n
#############
###Postfix###
#############
#############
###ASSP######
#############
ASSP
#Finding which server host as connected to the server and how many connections have been made - ASSP SMTP only
awk '$4 ~ /Connected/ {print $5}' /var/log/assp.log | sed -e 's/\:[0-9]*//' | awk '{a[$0]++}END{for(x in a){t=a[x]>1?"Connections":"Connections";print x " - "a[x],t}}' | awk '{print $3,$4,$2,$1}' | sort -n
#############
###ASSP######
#############
#############
###Exim######
#############
#To Delete frozen mails
exim -bp | awk '$6~"frozen" {print $3 }' | xargs exim -Mrm
#This will show the number of mails for each domain
exim -bp | exiqsumm | awk '{if ($1 >100)print $0 }' | sort -n
#Find out spammers home directory in cpanel server:
grep cwd /var/log/exim_mainlog|grep -v spool
#Gives you the email who logged in
exim -bp |awk '{print $3}' | sed -e '/^$/d'|while read line ; do grep $line /var/log/exim_mainlog|head -1 | sed -e 's/.*A\=dovecot\_login\://' | awk '{print $1}' | sed '/REPLACEWITHYEAR*/d' | sort -rn | uniq - c; done
#Gives you the IP that logged in and how many mails they actively have in the mailq
exim -bp |awk '{print $3}' | sed -e '/^$/d'|while read line ; do grep $line /var/log/exim_mainlog|head -1 | grep "dovecot_login" | awk '$8 ~ /([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-4])/ {print $8}'| sed -e 's/\[//' -e 's/\].*//'; done
tail -3000 /var/log/exim_mainlog |grep 'rejected RCPT' |awk '{print$4}'|awk -F\[ '{print $2} '|awk -F\] '{print $1} '|sort | uniq -c | sort -k 1 -nr | head -n 5
#############
###Exim######
#############
Thanks dude that helps
ReplyDeleteSuper useful. Thanks.
ReplyDelete