Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


How to monitor and get notify which VPS within one node is sending mass emails ?
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

How to monitor and get notify which VPS within one node is sending mass emails ?

anatolanatol Member
edited August 2014 in Help

How to monitor and get notify which VPS within one node is sending mass emails (spam) ?

Actually I just got one node with CentoS OS and few KVM VPS clients, some of them are sending bulk emails and datacenter keep sending warnings that my server will be suspended if thing continue like this.

I need some how to automatically get warnings if one VPS have emails stuck in queue, this way I will immediately send a warning to client and suspend/delete VPS if he continues.

«1

Comments

  • linuxthefishlinuxthefish Member
    edited August 2014

    Edit: nvm, just got up.

  • IshaqIshaq Member
    edited August 2014

    Ask the datacenter to nullroute the IPs sending spam?

  • @Ishaq said:
    Ask the datacenter to nullroute the IPs sending spam?

    Well I can do that but will be too late. I need to find out who is sending bulk emails before datacenter does.

  • anatolanatol Member
    edited August 2014

    How this script can help me ? I need to do something on node in order to find out which VPS is sending bulk emails and suspend it or block emails out.

  • perennateperennate Member, Host Rep

    You can run tcpdump on node to monitor outgoing SMTP connections, then block them with iptables if you have KVM configured to work with iptables. All VM network traffic should be visible to the host node.

    Thanked by 1anatol
  • anatolanatol Member
    edited August 2014

    @perennate said:
    You can run tcpdump on node to monitor outgoing SMTP connections, then block them with iptables if you have KVM configured to work with iptables. All VM network traffic should be visible to the host node.

    That's the best answer I got ! I just google it a little and looks awesome, if you're familiar with it can you tell me how to automatically get notify for example if someone is sending more than 100 emails/hour, or if there is emails stuck in queue, etc.

  • BrianHarrisonBrianHarrison Member, Patron Provider

    How large are these e-mail spikes and do you own the switch that your server is connected to? We have our sFlow monitoring setup to automatically notify us in the event of large sustained SMTP traffic. It works very well to identify and halt the problem before our IPs become blacklisted. In my experience, large SMTP traffic with immediate stops and starts is almost always spam.

  • nodewatch

  • wychwych Member

    Nodewatch/VPS anti-abuse?

  • anatolanatol Member
    edited August 2014

    @BrianHarrison said:
    How large are these e-mail spikes and do you own the switch that your server is connected to? We have our sFlow monitoring setup to automatically notify us in the event of large sustained SMTP traffic. It works very well to identify and halt the problem before our IPs become blacklisted. In my experience, large SMTP traffic with immediate stops and starts is almost always spam.

    Traffic spike for one of the VPSs: http://tinypic.com/view.php?pic=cnri9&s=8 . I don't own the switch.
    Well, all I know is that DataCenter sent me several warnings , this days 4 out 5 customers use VPSs for bulk emails. Actually 100% of the clients asking for rDNS immediately after VPS deploy are using the VPS for bulk emails.

  • Nodewatch works on KVM ?

  • perennateperennate Member, Host Rep

    anatol said: That's the best answer I got ! I just google it a little and looks awesome, if you're familiar with it can you tell me how to automatically get notify for example if someone is sending more than 100 emails/hour, or if there is emails stuck in queue, etc.

    I sent you an example script. Not sure what you mean "emails stuck in queue".

    Thanked by 1crossing
  • zedzed Member

    hire a sysadmin

    Thanked by 1Profforg
  • anatolanatol Member
    edited August 2014

    @perennate said:
    I sent you an example script. Not sure what you mean "emails stuck in queue".

    Ok so I need to install tcmdump on my Node (CentOS) , and then what to do with that script ?

  • perennateperennate Member, Host Rep

    @crossing said: I have one node with kvm vps clients. some of them (most this days..) are using the vps to bulk email campaigns and datacenter keep emailing me. I need somehow to know before datacenter does and block people who are sending bulk emails from VPS. Will that script actually block the IPs with abuse ?

    It is an example script only. If you look at it you'll see that you obviously need to modify it for your situation, since it makes a lot of SQL queries to tables that probably don't exist in your environment. What it does it execute tcpdump to get a list of all SMTP connections in a twelve second period, and then updates counters to determine if any IP addresses had an excessive number of connections; then, those IP addresses are blocked via iptables and an email alert to admin (you) is sent. It is meant to be set as cron job to execute every few minutes, you probably don't want tcpdump constantly running.

  • RamiRami Member
    edited August 2014

    You can easily block spam via iptables rules

    Thanked by 1aglodek
  • @Rami said:
    You can easily block spam via iptables rules

    People are saying here that we need to install tcmdump and run special scripts. Can you please be more specified what to do on node in order to automatically check/block/get notified about any KVM VPSs for abuse bulk email campaigns ?

  • NyrNyr Community Contributor, Veteran

    You need to hire a sysadmin or just stop doing the technical side of your business if you can't manage to rate limit outbound SMTP.

    Thanked by 2ATHK dgprasetya
  • anatol said: Actually 100% of the clients asking for rDNS immediately after VPS deploy are using the VPS for bulk emails.

    Wut?

  • @Rami said: You can easily block spam via iptables rules

    @anatol: +1. I think a more proactive (above) not reactive (what you are asking about) approach is called for.

  • Rallias said: Wut?

    Anything that isn't offered in the base package is inherently malicious to a lot of these hosts as you would have to expel some semblance of effort.

  • RamiRami Member
    edited August 2014

    @anatol said:
    People are saying here that we need to install tcmdump and run special scripts. Can you please be more specified what to do on node in order to automatically check/block/get notified about any KVM VPSs for abuse bulk email campaigns ?

    In this case you'll block it for the whole node

    -Here is how (Btw: I never used it on node but I think it will work):

    iptables -A OUTPUT -p tcp --dport 25 -j REJECT

    iptables-save

    iptables-save > /etc/iptables.conf

    cat > /etc/network/if-pre-up.d/iptables <<END

    #!/bin/sh

    iptables-restore < /etc/iptables.conf

    END

    chmod +x /etc/network/if-pre-up.d/iptables

    -This will work too:

    iptables -A OUTPUT -p tcp --dport 143 -j DROP

    iptables -A OUTPUT -p tcp --dport 25 -j DROP

    iptables -A OUTPUT -p tcp --dport 110 -j DROP

    iptables -A OUTPUT -p tcp --dport 587 -j DROP

    iptables -A OUTPUT -p tcp --dport 465 -j DROP

    iptables-save

    iptables-save > /etc/iptables.conf

    cat > /etc/network/if-pre-up.d/iptables <<END

    #!/bin/sh

    iptables-restore < /etc/iptables.conf

    END

    chmod +x /etc/network/if-pre-up.d/iptables

    Thanked by 1aglodek
  • @Rami said:

    What you propose should work, blocking ALL SMTP traffic. Isn't there any way to use iptables to keep the port open until a certain value per unit of time (say, 100 outgoing SMTP connections in 1 hour) has been reached? Then port 25 gets locked and user has to open a ticket to have it unlocked.

  • @aglodek said:

    You can use xf_conntrack and RECENT on OUTPUT rules as well as INPUT rules, so theoretically you would only need to use the RECENT and a hitcounter to block it automatically.

    Thanked by 1aglodek
  • @GoodHosting said:

    Nice and simple and should do the job. Problem is, I find iptables a bit overwhelming. I mean, no problem reading/tweaking rules, but setting something more interesting, like what you have just described, from scratch, is beyond me at present. Hence my question: is there any iptables admin panel, say, phpMyIPtablesAdmin or something like that? ;)

  • @aglodek said:
    Nice and simple and should do the job. Problem is, I find iptables a bit overwhelming. I mean, no problem reading/tweaking rules, but setting something more interesting, like what you have just described, from scratch, is beyond me at present. Hence my question: is there any iptables admin panel, say, phpMyIPtablesAdmin or something like that? ;)

    The problem is; even if you had a web interface, it wouldn't support multiple adapters (nor automatic rule creation, as the above process notes.) Generally with KVM, there are virtual adapters created on the host machine that forward traffic via a bridge device, each of these adapters needs to have rules applied to it individually in most cases.

    You wouldn't want SMTP traffic from one server using up the quota of all servers, so quotas would need to be modified and applied per adapter. This issue alone precludes most web interfaces.

    Thanked by 1aglodek
  • sysadmin will do it

    Thanked by 1Profforg
  • SaahibSaahib Host Rep, Veteran

    @dgprasetya said:
    sysadmin will do it

    This is not helpful..

    This guy is asking for help and repeatedly some people are spamming here.. "Hire sysadmin" ...

    Thanked by 1aglodek
  • dgprasetyadgprasetya Member
    edited August 2014

    @Saahib said:

    o yeahh.. you can find pid of port 25 , and make sure those pid are fine.

    lsof -i tcp:25

    more tools you can use iptraf or trafshow :)

    "The quieter you become, the more you are able to listen"

Sign In or Register to comment.