one liner to find/stop possible spam activity
Posted: Thu Dec 22, 2005 4:17 pm
This has been a problem more than once for me, so I wrote a quick one liner to help sort out trends from the /var/log/secure file.
This script will print out a list of IP addresses that have connected via smtp at least 100 times. This was very useful for me as I found two IP addressed that were filling up my queues with nearly 10,000 messages each over the span of 2 days!
Then all I had to do was add a line to my firewall script to block the IP and load started settling down right away. A line like this worked fine for me:
And no, I dont mind posting the IP
Hope that helps somebody out there.
This script will print out a list of IP addresses that have connected via smtp at least 100 times. This was very useful for me as I found two IP addressed that were filling up my queues with nearly 10,000 messages each over the span of 2 days!
Code: Select all
grep smtp /var/log/secure | grep -oe '[[:digit:]]\+\.[[:digit:]]\+\.[[:digit:]]\+\.[[:digit:]]\+' \
| sort | uniq -c | grep -e '^[[:space:]]*[[:digit:]]\{3,\}[[:space:]]\+[[:digit:]]'
Code: Select all
/sbin/iptables -A INPUT -s 80.99.151.140 -j DROP
Hope that helps somebody out there.