Printable View
I am an ISP having difficulties with SPAM messages being bounced back to me that are apparently coming from my server or are being spoofed. (I am running Red Hat, apache, etc.)
Does anyone know of a good tool whereby I could monitor traffic through SMTP and search it later? I can manually sit there and watch it but don't really want to. I'd like to be able to just search the results each day for particular strings common to these errant messages.
Thanks for any suggestions.
I guess it depends on what you want to do, but you could use something like tcpdump, setting the filters to only record 'tcp and port 25', do it verbosely, and save it in PCAP format. You could then look at it in something like ethereal... is that what you had in mind?
Yes, I believe so. Forgive my ignorance on the matter.
Will this allow me to search the text of the emails that have come through for the particular string that I am interested in?
Assuming your system is able to see all traffic on your network (if you have a hub or this is the only system, then yes it can see all the traffic) and assuming you have it looking at the entire packet, yes you would be able to see all content of the email, be it binary or a simple string (it may take work to get the binary, depending on how it was attached to the email).
Something like the following should work:
tcpdump -vvv -w output 'tcp and port 25'
Make sure you have plenty of disk space and make sure to keep an eye on the filesize. Also make sure that you have permission to do this as it can raise privacy/legal issues, depending on your environment. It will be saved as a binary file and this file can either be read by tcpdump at a later time for analysis or can be loaded by something like ethereal to do a little more in-depth decoding.
I'm on a VPS and apparently the tcpdump command has been disabled... ergh... any other suggestions other than get a dedicated server ;)
I am not familiar with what 'VPS' stands for, regardless, if you don't have root then you won't be able to monitor the interface. If you don't have your own system or access to the network (as in devices, switches, routers, etc), then you should report it to someone with the access to do the monitoring properly and according to the rules, terms of use, and regulations of your network provider. Otherwise, you could wind up getting in alot of trouble very quickly.
a VPS means "Virtual Private Server"
It's a setup whereby multiple people can share a dedicated server and have limited root access. I can do a lot in bash, but apparently tcpdump isn't one of them... I have the ability to read every email in the queue right now, but that would be a really tedious affair, so I was looking for a simpler method.
Because you are using a "V" server, you should still be able to edit the mail server config.
Which mail server are you using?
You can probably use something like a procmail recipe to have all outgoing mail
sent to a mailbox and have it delivered to the intended destination.
Keep in mind there are privacy concerns to this and if it's not already part of your
SLA (Service Level Agreement), you may be opeing yourself up to legal problems.
Do you use any sort of SMTP authentication? Maybe you can use a combination of time
stamps and log entries to try to narrow down which users might be your problem.
If you don't already use any sort of SMTP authentation, you have several options open
to you.
POP Before SMTP is an example.
For Sendmail I have used this in the past.
http://sourceforge.net/projects/poprelay
Easy to configure and does not require client to edit their smtp authentication settings which
is nice if you have many users.
I use Exim.
Could you explain Pop before SMTP?
Croaking,
I'm not entirely sure these kinds of programs are what you're looking for, but take a look at these two and let me know if it's close to what you have in mind.
Mail Box Dispatcher
Spamihilator
Both seem to offer a text filter so you can look for specific words within the body of an email.
No, those are more client-side spam filters, I am wanting something that I can monitor for specific phrases for server-side transmitting via the SMTP server to catch a possible rogue spammer on my network, or alternatively to determine if I'm just being spoofed.
Sure.Quote:
In a nutshell, your users are only allowed to relay (send external email) if they have
the username and password for a valid account on the system.
Since most email clients will login via POP/IMAP 1st before the SMTP server is hit, you can
force login creds to be send prior to allowing email to be sent through your server.
Many relay controls tools use either SMTP authentication which is okay and others use
IP addresses to control mail relaying which is easier to circumvent.
Although you don't have a relay problem per se, you might be able to use the logging to
determine who might be spamming if in fact they are.
In your case, google for "exim pop before smtp"
SGS
I don't know how you have set up the machine, but I
suggest you to have a look at procmail.
You might be able to configure it such that it does what
you want.
/edit: oups, already suggested, cheers to ss2chef :D
My apologies. I didn't even notice that the thread is in *nix discussions and here I am tossing windows based solutions at you. I'm currently checking out some *nix alternatives for monitoring SMTP traffic. I'll see what I can find for you. One other thing, a good step in finding out if you have a rogue spammer vs. being spoofed is checking the expanded headers of the emails in question. It's not 100% fullproof (because Received: fields can be spoofed as well). For the most part, I was able to accurately determine that malicious email originated outside my network just by checking the originating Received: fields.