Version 1 (modified by 7 years ago) (diff) | ,
---|
Mail Abuse
See also email-deliverability-status.
Mail sent to abuse -@- mayfirst -.- org
is delivered to the abuse-collector user on octavia.
A cron job runs regularly to parse incoming email using the bash script parse-incoming-mail
. This scripts first deletes all archived email older than a year. Then, it extracts the IP address that sent each message in the in box using parse-ip
and then moves the email message into the email-archive folder, filed under a sub-directory named by the IP address that sent it.
The mf-monitor-abuse-email
monitors the archive email directory to see if any IP addresses records more than 100 reports in the last 2 days (warning) or more than 1,000 (critical) and alerts nagios.
The IP check is the base line check.
In addition, there is additional parsing to gain a better understanding of who is responsible for the email. That parsing is done with the analyze-message
script. This script attempts to identify who sent the spam message. If it can make an accurate assessment, it creates a symlink to the original message in the analyzed-messages directory (with a sub-directory for each sender).
Lastly, the abuse-stats
script offers a summary of the results and can be run any time to get a sense of where the abuse emails are coming from.
To Do
Setup automatic email forwarding to email addresses associated with IP addresses or senders.