Script to monitor exim logs/etc

[LawsHosting]

As the limit file is used globally, that's not a option for me.

I just had a situation where a new client sent ~800 mails in less that 2 hours by email (not php/etc) to random emails. Disabled his account when I could - I check my queue regulary.

What I want is a script that monitors the maillog or whatever, pulls out a user-name if the user sends more that x mails per minute, and sends the info to my mailbox.

Has anybody seen anything like this? Or how do you admins monitor spam activity?

 

[floyd]

As the limit file is used globally

What I do for users I do not want to limit is create the user file in /etc/virtual/usage and then chattr +i the file. They will have unlimited emails. So while the setting is technically global you can make it not so global.

Another way to do it set the limit incredibly high and then run a script that checks the user files every minute to see how many emails have been sent.

I hate having to parse the exim log so I try to check other things where the work has already been done for me.

 

[LawsHosting]

What I do for users I do not want to limit is create the user file in /etc/virtual/usage and then chattr +i the file. They will have unlimited emails. So while the setting is technically global you can make it not so global.

So you chattr the user.bytes file so its set to unlimited (i.e non-editable) for that user..... then the limit file won't affect that user?

I guess as that file lists incoming and outgoing mails, the limit file takes the incomming email into consideration too, yes?

Actually, that byte file is useful nether the less.

 

[floyd]

So you chattr the user.bytes file

No. /etc/virtual/usage/username. This is the file that gets incremented when a user sends email. Its just a counter. If you chattr that file then it will not increment. But that file will not exist if you do not have the limit set.

 

[LawsHosting]

Ok, I meant to put /etc/virtual/usage/username.bytes instead of user.bytes, my mistake.

 

[floyd]

Ok, I meant to put /etc/virtual/usage/username.bytes instead of user.bytes, my mistake.

Still wrong. Just username. No .bytes.

Contains a bunch of information:
/etc/virtual/usage/username.bytes

Just a counter:
/etc/virtual/usage/username

 

[LawsHosting]

Ok, so we create the username file then chattr that, as all I see there are the bytes files.

 

[floyd]

Ok, so we create the username file then chattr that,

Correct.

as all I see there are the bytes files.

Correct.

But that file will not exist if you do not have the limit set.

You have never set the limit in the limit file so therefore the files of which I speak are not on your system yet. chattr the files of users you do not want to limit and then set the limit in the limit file and then the rest of the users will have a limit.

Its not a perfect solution but you asked what we do. This is what I actually do. In my mind I can see how one could set specific limits on individual users and time frames but that will get complicated and I have not put it to the test yet. For me its good enough to have limited users and unlimited users, only those two groups.

 

[LawsHosting]

Sorry, I'm not with it today, lack of sleep :/ - my excuse anyway!

 

[floyd]

lack of sleep

I hear you. This job will do it.

 

[LawsHosting]

Does exim check/create the username files automatically in the /etc/virtual/usage directory when users send mail? as I've just checked and there's no username files.

 

[floyd]

Does exim check/create the username files automatically in the /etc/virtual/usage directory when users send mail? as I've just checked and there's no username files.

It does for me. What is in /etc/virtual/limit?

 

[LawsHosting]

Believe it or not, zero, but I added 260

How confusing.......

was

-rwxr-xr-x 1 mail mail 2 2010-04-07 14:22 limit

now

-rwxr-xr-x 1 mail mail 4 2010-09-22 00:02 limit

I cant understand how it can have a timestamp of 5 months previous when I juist added it within a week?!?

 

[floyd]

You have to put in /etc/virtual/limit the number you want to limit. Set at 0 is unlimited emails so no username file gets created. Set it at 200 and it will create the username files and add a 1 every time an email gets sent out by that user.

I had assumed you had read this but maybe not so I will post it:
http://help.directadmin.com/item.php?id=81

 

[LawsHosting]

Actually, before the limit was set to 260, it was root owned, maybe that was the reason why it was changed to mail with zero.

It works now........

Who'd be a server admin, eh!

 

[floyd]

Who'd be a server admin, eh!

You are