Log audit script

This section contains user-submitted tutorials.
Post Reply
LeftyF
New user
New user
Posts: 2
Joined: 2020-11-24 19:52

Log audit script

Post by LeftyF » 2020-11-24 20:02

I've had some issues with accounts on my server being abused for spam (I have about 1,500 accounts on the server, and some are quite old). I found myself on 4 blacklists and needed a way to identify the spam traffic. To this end I wrote a script to analyze the logs and report on how many instances of each IP are identified in the log, and the username associated with the IP. An example output:

1893 "104.47.2.36" lajospkfkcze@iranshiko.com
1814 "104.47.0.36" oodybdauo@envirojet.com.au
1455 "104.47.1.36" susannefbmryet@combocomp.com
759 "216.18.201.195" apache@216-18-201-195.static.webnx.com
752 "173.194.175.26" krystynapjrpheg@fotonteam.com

This is a Linux bash script meant to be run in the same directory as the logs, but you can hack it up to do whatever you need.

Hope this helps some other poor email admin!

## begin script

#!/bin/bash
# Fred Clark 2020
# this script counts the number of instances of each IP in the hmail log
# to check for spam abuse

# cleanup
rm -rf hmail-ip-report.txt >/dev/null 2>&1
rm -rf hmail-log-txt >/dev/null 2>&1

echo "please enter the name of the hmail log file"
echo "and press enter"

read -e input

# extract the IP addresses from the log file

cat $input | cut -f5 | sed '/^$/d'| sort -u > hmail-log.txt


function buildlist {

while read list; do

count=`grep -c $list $input`
account=`grep $list $input | grep "FROM:" | grep @ | head -n1 | cut -d"<" -f2 | cut -d">" -f-1`

echo "$count $list $account" | tee -a hmail-ip-report.txt

done
}
INPUT_FILE=hmail-log.txt

buildlist < $INPUT_FILE

cat hmail-ip-report.txt | sort -n -r > hmail-ip-sort.txt
mv hmail-ip-sort.txt hmail-ip-report.txt

echo "IP address report hmail-ip-report.txt created"
echo "press enter to view"

read

less hmail-ip-report.txt

User avatar
SorenR
Senior user
Senior user
Posts: 6308
Joined: 2006-08-21 15:38
Location: Denmark

Re: Log audit script

Post by SorenR » 2020-11-24 20:25

Why not do that in the EventHandlers?

You can use hMailServer API to update the database. (Write only interface)

All you need then is to run a SQL query and write the report. :mrgreen:
SørenR.

Woke is Marxism advancing through Maoist cultural revolution.

LeftyF
New user
New user
Posts: 2
Joined: 2020-11-24 19:52

Re: Log audit script

Post by LeftyF » 2020-11-24 21:02

Another way to go, but this also works :-)

Post Reply