Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


How to monitor and get notify which VPS within one node is sending mass emails ? - Page 2
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

How to monitor and get notify which VPS within one node is sending mass emails ?

2»

Comments

  • SaahibSaahib Host Rep, Veteran

    @dgprasetya

    I am listening :P

  • zedzed Member

    @Saahib said:
    This is not helpful..
    This guy is asking for help and repeatedly some people are spamming here.. "Hire sysadmin" ...

    If iptables is too hard you might ought not be providing vps (or hire a fucking sysadmin).

    :LET:

    Thanked by 2Profforg dgprasetya
  • KihiKihi Member
    edited August 2014

    @anatol said:
    How to monitor and get notify which VPS within one node is sending mass emails (spam) ?

    Actually I just got one node with CentoS OS and few KVM VPS clients, some of them are sending bulk emails and datacenter keep sending warnings that my server will be suspended if thing continue like this.

    I need some how to automatically get warnings if one VPS have emails stuck in queue, this way I will immediately send a warning to client and suspend/delete VPS if he continues.

    I may be late to the party, but I found a simple and easy way for you to limit the amount of emails being sent. Although our system is proprietary and programmed by ourselves, here is something very similar that would help you in your situation.

    If you are using virsh to manage all your KVM instances, or some other form of deployment, edit each .xml and under the "interfaces" put in your target dev (ex. using "test1").

    ex. virsh edit vps01

    <interface type='bridge'>
      <source bridge='br0'/>
      <target dev='test1'/>
      <model type='virtio'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
    </interface>
    

    Although this won't affect at all the iptables command I am going to tell you. But what this will do is create a virtual interface so you may easily add more iptables commands or manipulate what's going through the connection (whether it be through TC - Linux Traffic Control, or ebtables). Instead of all traffic going through the default interface of vnet0

    Now the easy part.

    Simply throw this in iptables and fill in where it says $IP to whatever IP is set to the VPS. Adjust the limit however necessary.

    iptables -A FORWARD -o br0 -p tcp -s $IP --dport 25 -m limit --limit 10/min -m state --state NEW -j ACCEPT

    iptables -A FORWARD -o br0 -p tcp -s $IP --dport 25 -m state --state NEW -j LOG --log-prefix SMTP-DROP:

    iptables -A FORWARD -o br0 -p tcp -s $IP --dport 25 -m state --state NEW -j DROP

    What the above commands do is limit any new connections through port 25 to 10 per minute. Anything above will result in a dropped packet and the e-mail will simply be deferred and put into queue in whichever e-mail server they are using (postfix, Zimbra, etc). You can adjust the "--limit 10/min" to whatever you deem fit.

    You will have to use the commands on the node that the VPS is being hosted on.

    If you see a large amount of SMTP traffic, check /var/log/messages and you'll most likely see the SMTP-Drop commands being piled up and what IP it is coming from.

    If you want to be transparent to your customers, I would recommend that you tell them that port 25 is being limited, however, port 587 is not. Usually spammers will neglect to use port 587 since it's harder for them to spoof or manipulate the domain it's being sent from.

    If you want to automate this, create a bash script or something in Python and hook it to your provisioning / deployment system.

    Hope this helps!

  • anatolanatol Member
    edited August 2014

    That's just awesome !

    I already have 'target dev 'on each VPS, so all I'm left to do is iptables rules :) Now I just hope it will work and no side effect on server load.

Sign In or Register to comment.