Hi folks. A server I manage recently got hacked. Sadly, they converted my machine into a spam broadcaster. I'm in the process of rebuilding that machine, and researching various security strategies to help me defend against such rape in the future, but that's not what I want help with, yet.

What I want to know is if anybody has a suggestion for some kind of monitoring I can run that will inform me when outbound email exceeds some threshold level. This server sends out a few (maybe 10) notifications of various types to a few addresses each day, so I don't want to shut down email or anything that excessive. But I DEFINITELY want to know when it's suddenly sending out 10000 messages per day. And I want to know FAST. (The fact that my hacked box was spamming for almost a week before I got wind of it is more than a little embarrassing.)

I'm still learning the ropes for tools like tiger and tripwire and I'm sure there are other tools I'll discover as I begin to build my "fortress on the prairie." But I'd really like to have some piece of mind that, if/when the new system fails, I won't commit spamicide for week again before I shut it down.

Any suggestions?

Jefficus

While I realise you do have a legitimate question, and with all due respect, but IMHO you got your priorities reversed. You should deal with resolving your compromise before doing anything else. Especially finding the *cause* your box got turned into a spam fountain. Spammers by default don't go for root account compromises but go the way of least effort, often this indicates you running stale or deprectated software, or misconfigurations like overly broad permissions or even a crackable ssh. Hardening a box from the ground up takes away much of the chances for abuse giving you plenty of time to get a grip on the relatively lesser important measures to take.

I agree that hardening the box is the first concern. As I said in my original posting, I am working on that and feel reasonably confident that I can find what I need to make some major improvements.

BUT

I am also not naive enough to think that I will do a perfect job of this, nor that any job, however perfect at one time, will remain perfectly secure.

Consequently, I want a system in place that might give me a hint if/when those failures re-occur.

As I said above, I'm confident I can build a much more secure system this time. The tips and "how tos" for such stuff is a yard deep and a mile wide on the net. What I am NOT finding is a tool that will monitor my success for me in this particular way. I didn't see the point of asking this community to help me with stuff I can already find solutions for.

So my question still stands. Does anybody have any suggestions for how to monitor the mail output of my machine and send a warning if/when that output exceeds a particular threshold?

Jefficus

0. You can search Freshmeat.net or Sourceforge for a complete system monitoring solution with all bells and whistles and install that.

1. I can generate a script for per hour and daily stats which can be picked up by a Nagios plugin or Monit as say HTTPS as CGI, accessed tru SNMP, output to syslog to have something else pick it up or cronjobbed and made to alert all by itself.
2. I can also take output from an intermediary like SMA, the "SendMail Analyser", grep for "Messages/hour" and script an alert alert for when it exceeds thresh:
3. You can pick up outgoing SYN's to remote MTA's with Iptables and choke it with temp rules and alert.

And then I prolly forgot some. Oh well.

Dear Sir,


I am facing same kind of problem, my firewall IP are blacklisted each day i donts cause is outgoing emails are spred spam. I search a lot but yet not got perfect solution over this problem.

If you or any one got solution kindly reply me.

At least give me hint.

thanks

byeeeee

r.bhange, please start your own thread instead of resurrecting someone else's.

You can always provide a reference to another thread if you need to.