Mail Abuse

See also email-deliverability-status.

Mail sent to abuse -@- mayfirst -.- org is delivered to the abuse-collector user on octavia.

You can explore what is happening via su - abuse-collector on octavia.

From there:


A cron job runs regularly to parse incoming email using the bash script parse-incoming-mail. This scripts first deletes all archived email older than a year. Then, it extracts the IP address that sent each message in the in box using parse-ip and then moves the email message into the email-archive folder, filed under a sub-directory named by the IP address that sent it.

The mf-monitor-abuse-email monitors the archive email directory to see if any IP addresses records more than 100 reports in the last 2 days (warning) or more than 1,000 (critical) and alerts nagios.

The IP check is the base line check.

In addition, there is additional parsing to gain a better understanding of who is responsible for the email. That parsing is done with the analyze-message script. This script attempts to identify who sent the spam message. If it can make an accurate assessment, it creates a symlink to the original message in the analyzed-messages directory (with a sub-directory for each sender).

Lastly, the abuse-stats script offers a summary of the results and can be run any time to get a sense of where the abuse emails are coming from. By default it prints the stats for all email received in the last 365 days. You can pass an integer as the first argument to limit the stats to the last N days (e.g. ./abuse-stats 30 to see stats for the last 30 days).

To Do

Setup automatic email forwarding to email addresses associated with IP addresses or senders.

Last modified 4 years ago Last modified on Aug 29, 2017, 8:20:42 AM