New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
How to monitor and get notify which VPS within one node is sending mass emails ?
How to monitor and get notify which VPS within one node is sending mass emails (spam) ?
Actually I just got one node with CentoS OS and few KVM VPS clients, some of them are sending bulk emails and datacenter keep sending warnings that my server will be suspended if thing continue like this.
I need some how to automatically get warnings if one VPS have emails stuck in queue, this way I will immediately send a warning to client and suspend/delete VPS if he continues.
Comments
Edit: nvm, just got up.
Ask the datacenter to nullroute the IPs sending spam?
http://pastebin.com/3x2WksKx
Well I can do that but will be too late. I need to find out who is sending bulk emails before datacenter does.
How this script can help me ? I need to do something on node in order to find out which VPS is sending bulk emails and suspend it or block emails out.
You can run tcpdump on node to monitor outgoing SMTP connections, then block them with iptables if you have KVM configured to work with iptables. All VM network traffic should be visible to the host node.
That's the best answer I got ! I just google it a little and looks awesome, if you're familiar with it can you tell me how to automatically get notify for example if someone is sending more than 100 emails/hour, or if there is emails stuck in queue, etc.
How large are these e-mail spikes and do you own the switch that your server is connected to? We have our sFlow monitoring setup to automatically notify us in the event of large sustained SMTP traffic. It works very well to identify and halt the problem before our IPs become blacklisted. In my experience, large SMTP traffic with immediate stops and starts is almost always spam.
nodewatch
Nodewatch/VPS anti-abuse?
Traffic spike for one of the VPSs: http://tinypic.com/view.php?pic=cnri9&s=8 . I don't own the switch.
Well, all I know is that DataCenter sent me several warnings , this days 4 out 5 customers use VPSs for bulk emails. Actually 100% of the clients asking for rDNS immediately after VPS deploy are using the VPS for bulk emails.
Nodewatch works on KVM ?
I sent you an example script. Not sure what you mean "emails stuck in queue".
hire a sysadmin
Ok so I need to install tcmdump on my Node (CentOS) , and then what to do with that script ?
It is an example script only. If you look at it you'll see that you obviously need to modify it for your situation, since it makes a lot of SQL queries to tables that probably don't exist in your environment. What it does it execute tcpdump to get a list of all SMTP connections in a twelve second period, and then updates counters to determine if any IP addresses had an excessive number of connections; then, those IP addresses are blocked via iptables and an email alert to admin (you) is sent. It is meant to be set as cron job to execute every few minutes, you probably don't want tcpdump constantly running.
You can easily block spam via iptables rules
People are saying here that we need to install tcmdump and run special scripts. Can you please be more specified what to do on node in order to automatically check/block/get notified about any KVM VPSs for abuse bulk email campaigns ?
You need to hire a sysadmin or just stop doing the technical side of your business if you can't manage to rate limit outbound SMTP.
Wut?
@anatol: +1. I think a more proactive (above) not reactive (what you are asking about) approach is called for.
Anything that isn't offered in the base package is inherently malicious to a lot of these hosts as you would have to expel some semblance of effort.
In this case you'll block it for the whole node
-Here is how (Btw: I never used it on node but I think it will work):
-This will work too:
What you propose should work, blocking ALL SMTP traffic. Isn't there any way to use iptables to keep the port open until a certain value per unit of time (say, 100 outgoing SMTP connections in 1 hour) has been reached? Then port 25 gets locked and user has to open a ticket to have it unlocked.
You can use xf_conntrack and RECENT on OUTPUT rules as well as INPUT rules, so theoretically you would only need to use the RECENT and a hitcounter to block it automatically.
Nice and simple and should do the job. Problem is, I find iptables a bit overwhelming. I mean, no problem reading/tweaking rules, but setting something more interesting, like what you have just described, from scratch, is beyond me at present. Hence my question: is there any iptables admin panel, say, phpMyIPtablesAdmin or something like that?
The problem is; even if you had a web interface, it wouldn't support multiple adapters (nor automatic rule creation, as the above process notes.) Generally with KVM, there are virtual adapters created on the host machine that forward traffic via a bridge device, each of these adapters needs to have rules applied to it individually in most cases.
You wouldn't want SMTP traffic from one server using up the quota of all servers, so quotas would need to be modified and applied per adapter. This issue alone precludes most web interfaces.
sysadmin will do it
This is not helpful..
This guy is asking for help and repeatedly some people are spamming here.. "Hire sysadmin" ...
o yeahh.. you can find pid of port 25 , and make sure those pid are fine.
lsof -i tcp:25
more tools you can use iptraf or trafshow
"The quieter you become, the more you are able to listen"