Automatically check php mail log and send daily mails

ehsanch

Verified User
Joined
Jun 2, 2008
Messages
47
Hi
i wrote s simple bash script that will check php-mail.log of users and will send an email if it exceed specific size.
it will help to find spammer scripts and delete or warn users to stop bots from using server resources.

Please feel free to improve this script and share it here if you like :)

php_top_mailers.sh
Code:
#!/bin/sh
EMAIL="[email protected]"
TOPS=`find /home/*/.php/php-mail.log -type f -size +100k`
TOPCOUNT=`wc -l <<< "$TOPS"`
if [ "$TOPCOUNT" -gt "1" ];then
 TEXT="$TOPS"$'\n\n\n'`echo "$TOPS" |xargs tail -n 10`
 mail -s "Top php mail senders" $EMAIL <<< "$TEXT"
 echo "$TEXT"
fi
change +100k in script if you need to change conditions.
i add it to crontab so i will receive daily email :
0 20 * * * sh php_top_mailers.sh
 
Last edited:
Same here, but that's probably because all my users have 0k php maillogs.
Maybe a check is nice so it won't send mail if no users are found with more then 0k maillogs.
 
Code:
Yes php mailer logs are also normal. I go crayz. I just can not find the spammer. Rest of stats seems normal. dovecot_lmtp_udp has high volume. What is the logic with it? Webmail sends?
Code:
Grand total summary
-------------------
                                                                  At least one address
  TOTAL               Volume   Messages Addresses     Hosts      Delayed       Failed
  Received             413MB       1576                 608      14  0.9%     51  3.2%
  Delivered            457MB       1727      1813       112
  Rejects                         15747                1529
  Temp Rejects                        8                   8

Deliveries by transport
-----------------------
                      Volume    Messages
  :blackhole:           12MB          24
  address_file         842KB          22
  dovecot_lmtp_udp     247MB        1102
  remote_smtp          175MB         410
  spamcheck             23MB         169

My /etc/virtual/unknown is full of 6900 lines follows:

Code:
8756=type=email&email=&method=outgoing&id=1akxMY-0008JD-9J&authenticated_id=&sender_host_address=&log_time=1459545421&message_size=8756&local_part=mendezearnestine52551&domain=beamtele.net&path=/
6749=type=email&email=&method=outgoing&id=1alBDT-0005hm-73&authenticated_id=&sender_host_address=&log_time=1459545421&message_size=6749&local_part=cooktia962&domain=vdc.vn&path=/
8166=type=email&email=&method=outgoing&id=1alBDS-0005ha-8J&authenticated_id=&sender_host_address=&log_time=1459545422&message_size=8166&local_part=cooktia962&domain=vdc.vn&path=/
7341=type=email&email=&method=outgoing&id=1akyHS-0006UY-A5&authenticated_id=&sender_host_address=&log_time=1459545422&message_size=7341&local_part=millsrosario09&domain=mail.yalemortgage.com&path=/
8520=type=email&email=&method=outgoing&id=1alImk-00025K-FG&authenticated_id=&sender_host_address=&log_time=1459545422&message_size=8520&local_part=alexandercelia51&domain=brasiltelecom.net.br&path=/
8920=type=email&email=&method=outgoing&id=1akyHR-0006UN-8A&authenticated_id=&sender_host_address=&log_time=1459545422&message_size=8920&local_part=millsrosario09&domain=mail.yalemortgage.com&path=/
8470=type=email&email=&method=outgoing&id=1alBAQ-0005Kl-Mx&authenticated_id=&sender_host_address=&log_time=1459545422&message_size=8470&local_part=porterkaty23390&domain=brasiltelecom.net.br&path=/
7279=type=email&email=&method=outgoing&id=1akwgQ-0003xe-No&authenticated_id=&sender_host_address=&log_time=1459545423&message_size=7279&local_part=ryanbenita66&domain=millacomputadores.com.br&path=/
6560=type=email&email=&method=outgoing&id=1alITz-00013p-Pw&authenticated_id=&sender_host_address=&log_time=1459545423&message_size=6560&local_part=transummer030&domain=vdc.vn&path=/
3017=type=email&email=&method=outgoing&id=1alG9a-0002U6-O0&authenticated_id=&sender_host_address=&log_time=1459545423&message_size=3017&local_part=transummer030&domain=vdc.vn&path=/
9859=type=email&email=&method=outgoing&id=1alIun-0002xb-4E&authenticated_id=&sender_host_address=&log_time=1459545423&message_size=9859&local_part=bounce&domain=postmup.com&path=/
12820=type=email&email=&method=outgoing&id=1alIvh-00033t-DZ&authenticated_id=&sender_host_address=&log_time=1459545424&message_size=12820&local_part=bounce&domain=postmup.com&path=/
4058=type=email&email=&method=outgoing&id=1alfHO-0007Nr-AM&authenticated_id=&sender_host_address=&log_time=1459545424&message_size=4058&local_part=noelflorencio999&domain=unzueta.com.bo&path=/
7686=type=email&email=&method=outgoing&id=1alIVG-0001FV-Ed&authenticated_id=&sender_host_address=&log_time=1459545424&message_size=7686&local_part=stanleyaudra1996&domain=airtelbroadband.in&path=/
8844=type=email&email=&method=outgoing&id=1akxaV-0001I3-9g&authenticated_id=&sender_host_address=&log_time=1459545424&message_size=8844&local_part=schultzpeggy208&domain=leased-lines-204-130.tricom.net&path=/

Does this mean, server is infected and sending itself? No da user is sending?
 
Last edited:
You might need to make another topic for this because it's not on-topic here.
However to give some quick tips, I would just check if there is no resident mailserver is running under a user or something, maybe like this:
lsof -i tcp:25
if you see anything else then Exim you got a problem.
Also install Maldetect (see somewhere else on this forum) to check for malware.
 
I really spent days but never end up with a certain/succesful result. I do not have any hope so did not want to open a new topic. Why is this too difficult with linux to trace spammer. In windows server, I simply trace mailserver logs and all are there. With DA server, I have to trace exim logs, php mailer logs, website suspecious script. And now I learn "resident mailserver" under user. But none of them give me any clue. Next days I am ended up in RBL. My exim logs also seems normal. I nearly looked at it line my line. I also use maldetect.
 
Last edited:
You can also have hidden resident mailservers in Windows. It's just that Linux has a lot of apps.
Are you also using CSF/LFD? If yes, you can block php mail. You will get error notices about scripts which can't send out any mail anymore.
SMTP_ALLOWLOCAL = "1" change to SMTP_ALLOWLOCAL = "0" temporarily.
I presume the lsof command did not let you see anything?
Or you migh have somebody have a look at your system.

It could also be the bounce system is abused, check this:
http://help.directadmin.com/item.php?id=360
 
I compleletly disabled php mail function and tell users to use smtp auth. I am using csf. I set bounce limit to 0. I want to fix solution myself to be better system admin. But linux has lots of possibilities. Is there any more possibility other than listed http://help.directadmin.com/item.php?id=455 in general?
 
Not that I know of so quickly.
If you use CSF/LFD and set it right, force php users to use smtp authentication and use maldetect and fix the bounce abuse, there is little more you can do as far as I know for outgoing traffic.
Except for using the spamblocker 4 exim.conf which also prevents certain unwanted spam.
I also add some lines to the exim.conf, for a spamblocker 4 configuration file I add this to the log_selector line:
Code:
  +address_rewrite \
  +all_parents \
  +connection_reject \
You have a bit more info when somebody's pass get's hacked and spam is going out through authenticated mail.
 
Ok right after, I re-enabled mail alert in csf, I recieved an mail;
Code:
Time:  Sat Apr  2 23:08:53 2016 +0300
Type:  LOCALRELAY, Local Account - apache
Count: 101 emails relayed
Blocked: No

Sample of the first 10 emails:

2016-04-02 23:02:18 1amRkO-0005du-Nu <= [email protected] U=apache P=local S=700 T="Re:  Affordable E.D. Light Sets" from <[email protected]> for [email protected]
2016-04-02 23:02:19 1amRkP-0005eh-SA <= [email protected] U=apache P=local S=710 T="Fw:  Affordable Pharmacy solution" from <[email protected]> for [email protected]
2016-04-02 23:02:19 1amRkQ-0005f1-29 <= [email protected] U=apache P=local S=702 T="Re:  Affordable E.D. Light Sets" from <[email protected]> for [email protected]
2016-04-02 23:02:20 1amRkR-0005fq-AS <= [email protected] U=apache P=local S=718 T="Fw:  Affordable Pharmacy solution" from <[email protected]> for [email protected]
2016-04-02 23:02:22 1amRkR-0005fu-D5 <= [email protected] U=apache P=local S=698 T="Re:  Affordable E.D. Light Sets" from <[email protected]> for [email protected]
2016-04-02 23:02:23 1amRkS-0005gs-VD <= [email protected] U=apache P=local S=712 T="Fw:  Affordable Pharmacy solution" from <[email protected]> for [email protected]
2016-04-02 23:02:23 1amRkU-0005hZ-4T <= [email protected] U=apache P=local S=698 T="Re:  Affordable E.D. Light Sets" from <[email protected]> for [email protected]
2016-04-02 23:02:24 1amRkV-0005iP-3Y <= [email protected] U=apache P=local S=712 T="Fw:  Affordable Pharmacy solution" from <[email protected]> for [email protected]
2016-04-02 23:02:25 1amRkV-0005iZ-5K <= [email protected] U=apache P=local S=716 T="Re:  Affordable E.D. Light Sets" from <[email protected]> for [email protected]
2016-04-02 23:02:25 1amRkW-0005j8-9I <= [email protected] U=apache P=local S=708 T="Fw:  Affordable Pharmacy solution" from <[email protected]> for [email protected]

So questions are now:
Why is this not being limited by exim limits?
Why is this not being blocked by spamblocker?
Why is this not being written by eximstats?
Why is this not being cought in exim logs?
I found that user has lots of encoded php files sending spam, and why maldetect and clamav does not detect them?
Again new questions come that I can not figure out.

I add an exim filter to discard such mail from this user. Not sure if it is good idea. Because I do not want to shutdown user account. I want to find a blocking system for such issue to blcok at server level.
How do I disallow appache to send mail like this?
 
I'm sorry but I refuse to answer more here, it's become way off-topic, and I don't like topic stealing. Please open a seperate thread for this.
 
Thank you Ehsanch.
I did not receive an email now either. Next to that, at first it gave 4 empty lines in console when I ran this manually and now not anymore.
Looks improved! Thank you!
 
Back
Top