Thursday, October 29, 2009

QMAIL + detect SMTP Attacks from the same IP

A simple way to detect SMTP attacks from a single source IP can be achieved using the following command:
$ fgrep "tcpserver: pid"   "/var/log/qmail/smtp/current" | awk {'print $6'}| sort | uniq -c| sort  -rn |less


The output will be similar to:

     59 72.15.222.65
     42 63.251.135.109
     38 66.211.168.231
     33 63.251.135.115
     29 63.251.135.74
     25 213.63.26.144
     25 194.65.138.99
     23 63.251.135.75
     16 194.65.5.228
     15 93.102.93.77
     15 195.23.124.22
     13 212.55.154.23
     12 213.91.163.191
     12 212.55.154.24
     11 212.55.154.21
     11 198.31.62.64
     10 208.65.131.106
     9 98.244.216.176
     9 85.243.160.139
...

The first column shows the number of tcp connections that have been established and the second column the source IP. If the number of messages from those sources are high and suspicious then you need to block those sources.