Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In with OpenID
Advertise on LowEndTalk.com

In this Discussion

How to monitor and get notify which VPS within one node is sending mass emails ?

How to monitor and get notify which VPS within one node is sending mass emails ?

anatolanatol Member
edited August 2014 in Help

How to monitor and get notify which VPS within one node is sending mass emails (spam) ?

Actually I just got one node with CentoS OS and few KVM VPS clients, some of them are sending bulk emails and datacenter keep sending warnings that my server will be suspended if thing continue like this.

I need some how to automatically get warnings if one VPS have emails stuck in queue, this way I will immediately send a warning to client and suspend/delete VPS if he continues.

NodeVPS

Comments

  • linuxthefishlinuxthefish Member
    edited August 2014

    Edit: nvm, just got up.

  • IshaqIshaq Member, Provider
    edited August 2014

    Ask the datacenter to nullroute the IPs sending spam?

    [BudgetNode] DDoS Protected. 7 Locations (US/EU). Check out our latest offer!
  • @Ishaq said: Ask the datacenter to nullroute the IPs sending spam?

    Well I can do that but will be too late. I need to find out who is sending bulk emails before datacenter does.

    NodeVPS

  • anatolanatol Member
    edited August 2014

    @perennate said: http://pastebin.com/3x2WksKx

    How this script can help me ? I need to do something on node in order to find out which VPS is sending bulk emails and suspend it or block emails out.

    NodeVPS

  • perennateperennate Member, Provider

    You can run tcpdump on node to monitor outgoing SMTP connections, then block them with iptables if you have KVM configured to work with iptables. All VM network traffic should be visible to the host node.

    Thanked by 1anatol
  • anatolanatol Member
    edited August 2014

    @perennate said: You can run tcpdump on node to monitor outgoing SMTP connections, then block them with iptables if you have KVM configured to work with iptables. All VM network traffic should be visible to the host node.

    That's the best answer I got ! I just google it a little and looks awesome, if you're familiar with it can you tell me how to automatically get notify for example if someone is sending more than 100 emails/hour, or if there is emails stuck in queue, etc.

    NodeVPS

  • BrianHarrisonBrianHarrison Member, Provider

    How large are these e-mail spikes and do you own the switch that your server is connected to? We have our sFlow monitoring setup to automatically notify us in the event of large sustained SMTP traffic. It works very well to identify and halt the problem before our IPs become blacklisted. In my experience, large SMTP traffic with immediate stops and starts is almost always spam.

    Reprise Hosting (AS62838) Intel Xeon L5520, 1TB SATA, 4GB RAM, 10TB BW, $27/mo with DED10 promo! Cheap dedicated servers.
    VPSHostingDeal.com - Low-cost self-managed OpenVZ + Xen cheap VPS hosting. Plans starting at $12 PER YEAR! Cheap VPS.

  • nodewatch

  • wychwych Member

    Nodewatch/VPS anti-abuse?

    Taking a hiatus.

  • anatolanatol Member
    edited August 2014

    @BrianHarrison said: How large are these e-mail spikes and do you own the switch that your server is connected to? We have our sFlow monitoring setup to automatically notify us in the event of large sustained SMTP traffic. It works very well to identify and halt the problem before our IPs become blacklisted. In my experience, large SMTP traffic with immediate stops and starts is almost always spam.

    Traffic spike for one of the VPSs: http://tinypic.com/view.php?pic=cnri9&s=8 . I don't own the switch. Well, all I know is that DataCenter sent me several warnings , this days 4 out 5 customers use VPSs for bulk emails. Actually 100% of the clients asking for rDNS immediately after VPS deploy are using the VPS for bulk emails.

    NodeVPS

  • Nodewatch works on KVM ?

    NodeVPS

  • perennateperennate Member, Provider

    anatol said: That's the best answer I got ! I just google it a little and looks awesome, if you're familiar with it can you tell me how to automatically get notify for example if someone is sending more than 100 emails/hour, or if there is emails stuck in queue, etc.

    I sent you an example script. Not sure what you mean "emails stuck in queue".

    Thanked by 1crossing
  • zedzed Member

    hire a sysadmin

    At no point in your rambling, incoherent response were you even close to anything that could be considered a rational thought.

    Thanked by 1Profforg
  • anatolanatol Member
    edited August 2014

    @perennate said: I sent you an example script. Not sure what you mean "emails stuck in queue".

    Ok so I need to install tcmdump on my Node (CentOS) , and then what to do with that script ?

    NodeVPS

  • perennateperennate Member, Provider

    @crossing said: I have one node with kvm vps clients. some of them (most this days..) are using the vps to bulk email campaigns and datacenter keep emailing me. I need somehow to know before datacenter does and block people who are sending bulk emails from VPS. Will that script actually block the IPs with abuse ?

    It is an example script only. If you look at it you'll see that you obviously need to modify it for your situation, since it makes a lot of SQL queries to tables that probably don't exist in your environment. What it does it execute tcpdump to get a list of all SMTP connections in a twelve second period, and then updates counters to determine if any IP addresses had an excessive number of connections; then, those IP addresses are blocked via iptables and an email alert to admin (you) is sent. It is meant to be set as cron job to execute every few minutes, you probably don't want tcpdump constantly running.

  • RamiRami Member
    edited August 2014

    You can easily block spam via iptables rules

    Thanked by 1aglodek
  • @Rami said: You can easily block spam via iptables rules

    People are saying here that we need to install tcmdump and run special scripts. Can you please be more specified what to do on node in order to automatically check/block/get notified about any KVM VPSs for abuse bulk email campaigns ?

    NodeVPS

  • NyrNyr Member

    You need to hire a sysadmin or just stop doing the technical side of your business if you can't manage to rate limit outbound SMTP.

    Thanked by 2ATHK dgprasetya
  • RalliasRallias Member, Provider

    anatol said: Actually 100% of the clients asking for rDNS immediately after VPS deploy are using the VPS for bulk emails.

    Wut?

    Andrew Pietila — [email protected]
    Star As A Service, LLC - Coming Soon!

  • @Rami said: You can easily block spam via iptables rules

    @anatol: +1. I think a more proactive (above) not reactive (what you are asking about) approach is called for.

    Andrew Glodek | Special Projects Director | 香港國際商務中心 HONG KONG INTERNATIONAL BUSINESS CENTRE
  • Rallias said: Wut?

    Anything that isn't offered in the base package is inherently malicious to a lot of these hosts as you would have to expel some semblance of effort.

    My personal blog and website | Freelance web developer & programmer. HTML/CSS/PHP/JS (Clientside & Serverside)/C# and more

    Installing Observium on Debian

  • RamiRami Member
    edited August 2014

    @anatol said: People are saying here that we need to install tcmdump and run special scripts. Can you please be more specified what to do on node in order to automatically check/block/get notified about any KVM VPSs for abuse bulk email campaigns ?

    In this case you'll block it for the whole node

    -Here is how (Btw: I never used it on node but I think it will work):

    iptables -A OUTPUT -p tcp --dport 25 -j REJECT

    iptables-save

    iptables-save > /etc/iptables.conf

    cat > /etc/network/if-pre-up.d/iptables <<END

    #!/bin/sh

    iptables-restore < /etc/iptables.conf

    END

    chmod +x /etc/network/if-pre-up.d/iptables

    -This will work too:

    iptables -A OUTPUT -p tcp --dport 143 -j DROP

    iptables -A OUTPUT -p tcp --dport 25 -j DROP

    iptables -A OUTPUT -p tcp --dport 110 -j DROP

    iptables -A OUTPUT -p tcp --dport 587 -j DROP

    iptables -A OUTPUT -p tcp --dport 465 -j DROP

    iptables-save

    iptables-save > /etc/iptables.conf

    cat > /etc/network/if-pre-up.d/iptables <<END

    #!/bin/sh

    iptables-restore < /etc/iptables.conf

    END

    chmod +x /etc/network/if-pre-up.d/iptables

    Thanked by 1aglodek
  • @Rami said:

    What you propose should work, blocking ALL SMTP traffic. Isn't there any way to use iptables to keep the port open until a certain value per unit of time (say, 100 outgoing SMTP connections in 1 hour) has been reached? Then port 25 gets locked and user has to open a ticket to have it unlocked.

    Andrew Glodek | Special Projects Director | 香港國際商務中心 HONG KONG INTERNATIONAL BUSINESS CENTRE
  • @aglodek said:

    You can use xf_conntrack and RECENT on OUTPUT rules as well as INPUT rules, so theoretically you would only need to use the RECENT and a hitcounter to block it automatically.

    Acting Director of Albino Geek Services Ltd. My Keybase ID ( gh )
    GoodHosting.co | Enterprise KVM Virtual Private Servers | Twitter / Status : @ GoodHostingCo

    Thanked by 1aglodek
  • @GoodHosting said:

    Nice and simple and should do the job. Problem is, I find iptables a bit overwhelming. I mean, no problem reading/tweaking rules, but setting something more interesting, like what you have just described, from scratch, is beyond me at present. Hence my question: is there any iptables admin panel, say, phpMyIPtablesAdmin or something like that? ;)

    Andrew Glodek | Special Projects Director | 香港國際商務中心 HONG KONG INTERNATIONAL BUSINESS CENTRE
  • @aglodek said: Nice and simple and should do the job. Problem is, I find iptables a bit overwhelming. I mean, no problem reading/tweaking rules, but setting something more interesting, like what you have just described, from scratch, is beyond me at present. Hence my question: is there any iptables admin panel, say, phpMyIPtablesAdmin or something like that? ;)

    The problem is; even if you had a web interface, it wouldn't support multiple adapters (nor automatic rule creation, as the above process notes.) Generally with KVM, there are virtual adapters created on the host machine that forward traffic via a bridge device, each of these adapters needs to have rules applied to it individually in most cases.

    You wouldn't want SMTP traffic from one server using up the quota of all servers, so quotas would need to be modified and applied per adapter. This issue alone precludes most web interfaces.

    Acting Director of Albino Geek Services Ltd. My Keybase ID ( gh )
    GoodHosting.co | Enterprise KVM Virtual Private Servers | Twitter / Status : @ GoodHostingCo

    Thanked by 1aglodek
  • sysadmin will do it

    "The quieter you become, the more you are able to listen" dgprasetya.com

    Thanked by 1Profforg
  • @dgprasetya said: sysadmin will do it

    This is not helpful..

    This guy is asking for help and repeatedly some people are spamming here.. "Hire sysadmin" ...

    Thanked by 1aglodek
  • dgprasetyadgprasetya Member
    edited August 2014

    @Saahib said:

    o yeahh.. you can find pid of port 25 , and make sure those pid are fine.

    lsof -i tcp:25

    more tools you can use iptraf or trafshow :)

    "The quieter you become, the more you are able to listen"

    "The quieter you become, the more you are able to listen" dgprasetya.com

  • @dgprasetya

    I am listening :P

  • zedzed Member

    @Saahib said: This is not helpful.. This guy is asking for help and repeatedly some people are spamming here.. "Hire sysadmin" ...

    If iptables is too hard you might ought not be providing vps (or hire a fucking sysadmin).

    :LET:

    At no point in your rambling, incoherent response were you even close to anything that could be considered a rational thought.

    Thanked by 2Profforg dgprasetya
  • KihiKihi Member, Provider
    edited August 2014

    @anatol said: How to monitor and get notify which VPS within one node is sending mass emails (spam) ?

    Actually I just got one node with CentoS OS and few KVM VPS clients, some of them are sending bulk emails and datacenter keep sending warnings that my server will be suspended if thing continue like this.

    I need some how to automatically get warnings if one VPS have emails stuck in queue, this way I will immediately send a warning to client and suspend/delete VPS if he continues.

    I may be late to the party, but I found a simple and easy way for you to limit the amount of emails being sent. Although our system is proprietary and programmed by ourselves, here is something very similar that would help you in your situation.

    If you are using virsh to manage all your KVM instances, or some other form of deployment, edit each .xml and under the "interfaces" put in your target dev (ex. using "test1").

    ex. virsh edit vps01

    <interface type='bridge'>
      <source bridge='br0'/>
      <target dev='test1'/>
      <model type='virtio'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
    </interface>
    

    Although this won't affect at all the iptables command I am going to tell you. But what this will do is create a virtual interface so you may easily add more iptables commands or manipulate what's going through the connection (whether it be through TC - Linux Traffic Control, or ebtables). Instead of all traffic going through the default interface of vnet0

    Now the easy part.

    Simply throw this in iptables and fill in where it says $IP to whatever IP is set to the VPS. Adjust the limit however necessary.

    iptables -A FORWARD -o br0 -p tcp -s $IP --dport 25 -m limit --limit 10/min -m state --state NEW -j ACCEPT

    iptables -A FORWARD -o br0 -p tcp -s $IP --dport 25 -m state --state NEW -j LOG --log-prefix SMTP-DROP:

    iptables -A FORWARD -o br0 -p tcp -s $IP --dport 25 -m state --state NEW -j DROP

    What the above commands do is limit any new connections through port 25 to 10 per minute. Anything above will result in a dropped packet and the e-mail will simply be deferred and put into queue in whichever e-mail server they are using (postfix, Zimbra, etc). You can adjust the "--limit 10/min" to whatever you deem fit.

    You will have to use the commands on the node that the VPS is being hosted on.

    If you see a large amount of SMTP traffic, check /var/log/messages and you'll most likely see the SMTP-Drop commands being piled up and what IP it is coming from.

    If you want to be transparent to your customers, I would recommend that you tell them that port 25 is being limited, however, port 587 is not. Usually spammers will neglect to use port 587 since it's harder for them to spoof or manipulate the domain it's being sent from.

    If you want to automate this, create a bash script or something in Python and hook it to your provisioning / deployment system.

    Hope this helps!

    ~Charlie. For Canadian VPS Hosting, Kihi ain't that bad of a company, it's got CoreOS and Atomic OS'.

  • anatolanatol Member
    edited August 2014

    @Kihi

    That's just awesome !

    I already have 'target dev 'on each VPS, so all I'm left to do is iptables rules :) Now I just hope it will work and no side effect on server load.

    NodeVPS

Sign In or Register to comment.