wiki:mail-abuse

Version 1 (modified by Jamie McClelland, 5 years ago) (diff)

--

Mail Abuse

See also email-deliverability-status.

Mail sent to abuse -@- mayfirst -.- org is delivered to the abuse-collector user on octavia.

A cron job runs regularly to parse incoming email using the bash script parse-incoming-mail. This scripts first deletes all archived email older than a year. Then, it extracts the IP address that sent each message in the in box using parse-ip and then moves the email message into the email-archive folder, filed under a sub-directory named by the IP address that sent it.

The mf-monitor-abuse-email monitors the archive email directory to see if any IP addresses records more than 100 reports in the last 2 days (warning) or more than 1,000 (critical) and alerts nagios.

The IP check is the base line check.

In addition, there is additional parsing to gain a better understanding of who is responsible for the email. That parsing is done with the analyze-message script. This script attempts to identify who sent the spam message. If it can make an accurate assessment, it creates a symlink to the original message in the analyzed-messages directory (with a sub-directory for each sender).

Lastly, the abuse-stats script offers a summary of the results and can be run any time to get a sense of where the abuse emails are coming from.

To Do

Setup automatic email forwarding to email addresses associated with IP addresses or senders.