Relay Tracking CSF v.10.09

Post Reply
index
Junior Member
Posts: 3
Joined: 20 Jun 2014, 22:21

Relay Tracking CSF v.10.09

Post by index »

Hi everybody,

in last couple of weeks - month We have experienced mass e-mail sent from our users that had hacked smtp's but We didn't got any notifications about them sending big amout of e-mails. We suspect that this might be cos of hackers bein more smart and not sending from one IP rather then from multiple IP's and there is no reaction from system to sent notification to us about it.
We do realize and this part works fine when e-mails are sent from one IP and when more them 50 (limit we set) is send We get the notification it's great. That is not the case when hacker sends it over multiple IP but small amouth of e-mail messages. For example e-mails are sent from 150 different IP's but he only sends around 10 maybe 15 e-mail's per IP and the system doesn't seem to respond to it. We see that ''user'' has send over 1500-2000 email in 20 minutes but We never get the notification for it, unleass We check it under Mail Delivery Reports in WHM.

Is there any possibilite to setup something for our problem in congifuration so system sends us notification weather is it from one IP like now or multipule IP's so it will monitor @domainname.com or mybe some custom rule would help here?

Thanks in advance
jcats
Junior Member
Posts: 29
Joined: 03 Jan 2015, 14:36

Re: Relay Tracking CSF v.10.09

Post by jcats »

I'd be interested in hearing on this as well, we are suffering from the same situation.
jcats
Junior Member
Posts: 29
Joined: 03 Jan 2015, 14:36

Re: Relay Tracking CSF v.10.09

Post by jcats »

Just had one email send out 39,000 emails throughout the day without a single CSF alert =X

root@ollie [~]# grep dovecot_login:email@domain.com /var/log/exim_mainlog | grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" | wc -l
39437

From 1806 unique IP's.
Post Reply