Loading ...
Sorry, an error occurred while loading the content.

plogsumm reports

Expand Messages
  • Rocco Scappatura
    Hello, I m using pflogsumm and I find it very worth.. But I would like to refine the information that it gives me. For example, I would like to get a report of
    Message 1 of 12 , Feb 1, 2007
    • 0 Attachment
      Hello,

      I'm using pflogsumm and I find it very worth..

      But I would like to refine the information that it gives me.

      For example, I would like to get a report of the IPs whose try to relay
      messages trhough my SMTP relay server.

      I know that a such report can not to say the truth as the IP can be
      spoofed, but I want to have a view of the clients that (try to)
      establish an SMTP connection with my SMTP server.

      Infact, every night between the 00:00 and the 01:00 I see an huge number
      received by Postfix, and I can figure out why this happen and who is the
      guilty..

      Can I get a such report from pflogsumm, or what tool can I use to get
      such informations?

      TIA,

      rocsca
    • Jorey Bump
      ... I heartily recommend Mike Capella s Postfix filter for logwatch: http://www.mikecappella.com/logwatch/ It has configurable levels of reporting, and very
      Message 2 of 12 , Feb 1, 2007
      • 0 Attachment
        Rocco Scappatura wrote:

        > For example, I would like to get a report of the IPs whose try to relay
        > messages trhough my SMTP relay server.
        >
        > I know that a such report can not to say the truth as the IP can be
        > spoofed, but I want to have a view of the clients that (try to)
        > establish an SMTP connection with my SMTP server.
        >
        > Infact, every night between the 00:00 and the 01:00 I see an huge number
        > received by Postfix, and I can figure out why this happen and who is the
        > guilty..
        >
        > Can I get a such report from pflogsumm, or what tool can I use to get
        > such informations?

        I heartily recommend Mike Capella's Postfix filter for logwatch:

        http://www.mikecappella.com/logwatch/

        It has configurable levels of reporting, and very readable output.
      • Rocco Scappatura
        ... Thanks, I will try it and I let you know.. rocsca
        Message 3 of 12 , Feb 1, 2007
        • 0 Attachment
          > I heartily recommend Mike Capella's Postfix filter for logwatch:
          >
          > http://www.mikecappella.com/logwatch/
          >
          > It has configurable levels of reporting, and very readable output.

          Thanks,

          I will try it and I let you know..

          rocsca
        • MrC
          ... Thanks for the plug Jorey. Rocco - if you don t see what you need, feel free to reply on/off list and I ll see what I can do to accommodate your request.
          Message 4 of 12 , Feb 1, 2007
          • 0 Attachment
            > Rocco Scappatura wrote:
            >
            > > For example, I would like to get a report of the IPs whose try to
            > > relay messages trhough my SMTP relay server.
            > >
            > > I know that a such report can not to say the truth as the IP can be
            > > spoofed, but I want to have a view of the clients that (try to)
            > > establish an SMTP connection with my SMTP server.
            > >
            > > Infact, every night between the 00:00 and the 01:00 I see an huge
            > > number received by Postfix, and I can figure out why this
            > happen and
            > > who is the guilty..
            > >
            > > Can I get a such report from pflogsumm, or what tool can I
            > use to get
            > > such informations?
            >
            > I heartily recommend Mike Capella's Postfix filter for logwatch:
            >
            > http://www.mikecappella.com/logwatch/
            >
            > It has configurable levels of reporting, and very readable output.
            >

            Thanks for the plug Jorey.

            Rocco - if you don't see what you need, feel free to reply on/off list and
            I'll see what I can do to accommodate your request.

            If you don't already have logwatch installed, you can use the script almost
            standalone. See the README for details.

            MrC
          • Rocco Scappatura
            ... Thamks Mike to you too.. I will do.. rocsca
            Message 5 of 12 , Feb 1, 2007
            • 0 Attachment
              > Rocco - if you don't see what you need, feel free to reply
              > on/off list and I'll see what I can do to accommodate your request.
              >
              > If you don't already have logwatch installed, you can use the
              > script almost standalone. See the README for details.

              Thamks Mike to you too.. I will do..

              rocsca
            • Matt Hayes
              ... Hmm.. I may have to give this a shot as well. -Matt
              Message 6 of 12 , Feb 1, 2007
              • 0 Attachment
                MrC wrote:
                >> Rocco Scappatura wrote:
                >>
                >>> For example, I would like to get a report of the IPs whose try to
                >>> relay messages trhough my SMTP relay server.
                >>>
                >>> I know that a such report can not to say the truth as the IP can be
                >>> spoofed, but I want to have a view of the clients that (try to)
                >>> establish an SMTP connection with my SMTP server.
                >>>
                >>> Infact, every night between the 00:00 and the 01:00 I see an huge
                >>> number received by Postfix, and I can figure out why this
                >> happen and
                >>> who is the guilty..
                >>>
                >>> Can I get a such report from pflogsumm, or what tool can I
                >> use to get
                >>> such informations?
                >> I heartily recommend Mike Capella's Postfix filter for logwatch:
                >>
                >> http://www.mikecappella.com/logwatch/
                >>
                >> It has configurable levels of reporting, and very readable output.
                >>
                >
                > Thanks for the plug Jorey.
                >
                > Rocco - if you don't see what you need, feel free to reply on/off list and
                > I'll see what I can do to accommodate your request.
                >
                > If you don't already have logwatch installed, you can use the script almost
                > standalone. See the README for details.
                >
                > MrC
                >
                >
                >


                Hmm.. I may have to give this a shot as well.

                -Matt
              • John Beaver
                ... Has there been any updates on getting logwatch on FreeBSD? I looked for this a couple weeks ago and didn t find anything. I like to outputs, but can t
                Message 7 of 12 , Feb 1, 2007
                • 0 Attachment
                  MrC wrote:
                  >> Rocco Scappatura wrote:
                  >>
                  >>> For example, I would like to get a report of the IPs whose try to
                  >>> relay messages trhough my SMTP relay server.
                  >>>
                  >>> I know that a such report can not to say the truth as the IP can be
                  >>> spoofed, but I want to have a view of the clients that (try to)
                  >>> establish an SMTP connection with my SMTP server.
                  >>>
                  >>> Infact, every night between the 00:00 and the 01:00 I see an huge
                  >>> number received by Postfix, and I can figure out why this
                  >> happen and
                  >>> who is the guilty..
                  >>>
                  >>> Can I get a such report from pflogsumm, or what tool can I
                  >> use to get
                  >>> such informations?
                  >> I heartily recommend Mike Capella's Postfix filter for logwatch:
                  >>
                  >> http://www.mikecappella.com/logwatch/
                  >>
                  >> It has configurable levels of reporting, and very readable output.
                  >>
                  >
                  > Thanks for the plug Jorey.
                  >
                  > Rocco - if you don't see what you need, feel free to reply on/off list and
                  > I'll see what I can do to accommodate your request.
                  >
                  > If you don't already have logwatch installed, you can use the script almost
                  > standalone. See the README for details.


                  Has there been any updates on getting logwatch on FreeBSD? I looked for
                  this a couple weeks ago and didn't find anything. I like to outputs,
                  but can't run it on FreeBSD.

                  john
                • Rocco Scappatura
                  ... I have tried it.. Very nice and detailed.. but I would like to have a report of all the IP that succesfully have established an SMTP connection.. It s
                  Message 8 of 12 , Feb 2, 2007
                  • 0 Attachment
                    > > > For example, I would like to get a report of the IPs whose try to
                    > > > relay messages trhough my SMTP relay server.
                    > > >
                    > > > I know that a such report can not to say the truth as the
                    > IP can be
                    > > > spoofed, but I want to have a view of the clients that (try to)
                    > > > establish an SMTP connection with my SMTP server.
                    > > >
                    > > > Infact, every night between the 00:00 and the 01:00 I see an huge
                    > > > number received by Postfix, and I can figure out why this
                    > > happen and
                    > > > who is the guilty..
                    > > >
                    > > > Can I get a such report from pflogsumm, or what tool can I
                    > > use to get
                    > > > such informations?
                    > >
                    > > I heartily recommend Mike Capella's Postfix filter for logwatch:
                    > >
                    > > http://www.mikecappella.com/logwatch/
                    > >
                    > > It has configurable levels of reporting, and very readable output.
                    > >
                    >
                    > Thanks for the plug Jorey.
                    >
                    > Rocco - if you don't see what you need, feel free to reply
                    > on/off list and I'll see what I can do to accommodate your request.

                    I have tried it.. Very nice and detailed.. but I would like to have a
                    report of all the IP that succesfully have established an SMTP
                    connection.. It's possible to have a such report with this logwatch?

                    rocsca

                    > If you don't already have logwatch installed, you can use the
                    > script almost standalone. See the README for details.
                  • mouss
                    ... grep postfix/smtpd.*: connect from /var/log/maillog | sed s/.*connect from// | sort|uniq
                    Message 9 of 12 , Feb 2, 2007
                    • 0 Attachment
                      Rocco Scappatura wrote:
                      >
                      > I have tried it.. Very nice and detailed.. but I would like to have a
                      > report of all the IP that succesfully have established an SMTP
                      > connection.. It's possible to have a such report with this logwatch?
                      >
                      >

                      grep "postfix/smtpd.*: connect from" /var/log/maillog | sed 's/.*connect
                      from//' | sort|uniq
                    • Devdas Bhagat
                      On 01/02/07 10:46 +0100, Rocco Scappatura wrote: ... IP spoofing is much easier with UDP and ICMP, but quite difficult with TCP (If Postfix sees the
                      Message 10 of 12 , Feb 3, 2007
                      • 0 Attachment
                        On 01/02/07 10:46 +0100, Rocco Scappatura wrote:
                        <snip>
                        > I know that a such report can not to say the truth as the IP can be
                        > spoofed, but I want to have a view of the clients that (try to)
                        > establish an SMTP connection with my SMTP server.
                        >
                        IP spoofing is much easier with UDP and ICMP, but quite difficult with
                        TCP (If Postfix sees the connection, there has been a successful three
                        way handshake, and that implies the IP was not spoofed or the attacker
                        had enough control over your end network that you are screwed anyway).

                        Devdas Bhagat
                      • Sheldon T. Hall
                        Devdas Bhagat wrote ... ... ... or maybe that the sender is using the old spammer s trick of sending stuff from machine A, forging the IP address of machine B,
                        Message 11 of 12 , Feb 3, 2007
                        • 0 Attachment
                          Devdas Bhagat wrote ...
                          > On 01/02/07 10:46 +0100, Rocco Scappatura wrote:
                          > <snip>
                          > > I know that a such report can not to say the truth as the IP can be
                          > > spoofed, but I want to have a view of the clients that (try to)
                          > > establish an SMTP connection with my SMTP server.
                          > >
                          > IP spoofing is much easier with UDP and ICMP, but quite difficult with
                          > TCP (If Postfix sees the connection, there has been a successful three
                          > way handshake, and that implies the IP was not spoofed or the attacker
                          > had enough control over your end network that you are screwed anyway).

                          ... or maybe that the sender is using the old spammer's trick of sending
                          stuff from machine A, forging the IP address of machine B, which has a back
                          channel to machine A to complete the circle. Machine A would be on a
                          high-speed line, and machine B would be on a disposable dial-up account.
                          Machine B would eventually get busted for the spam, but the spammer would
                          just get a new dial-up account. Meanwhile, the real source of the spam,
                          machine A, would be hard to trace....

                          However, I don't think anyone bothers with that sort of stuff now, given the
                          number of botnets and "bulletproof hosting" outfits.

                          -Shel
                        • Rob Chanter
                          ... A slight variation: ... | sort | uniq -c | sort -n and here, at least 75% of distinct connecting hosts only connect once in any given day. cheers rob
                          Message 12 of 12 , Feb 4, 2007
                          • 0 Attachment
                            On Fri, Feb 02, 2007 at 09:50:39PM +0100, mouss wrote:
                            >
                            > grep "postfix/smtpd.*: connect from" /var/log/maillog | sed 's/.*connect
                            > from//' | sort|uniq

                            A slight variation: ... | sort | uniq -c | sort -n

                            and here, at least 75% of distinct connecting hosts only connect once in any
                            given day.

                            cheers
                            rob
                          Your message has been successfully submitted and would be delivered to recipients shortly.