1 (edited by reno31 2021-06-21 22:11:54)

Topic: Botnet detection & Action

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 1.3.2
- Deployed with iRedMail Easy or the downloadable installer? Downloaded
- Linux/BSD distribution name and version: Debian 10
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): Mysql
- Web server (Apache or Nginx):NGINX
- Manage mail accounts with iRedAdmin-Pro?No
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Hello,

I would like to submit a little script I will run to avoid getting too much heat in case on or more user as had is password leaked.
The script would scan for mail.info and count how many different IP address where used to connect to a specific account.
My user dont move often and each time a password as leaked, I could see the same connection pattern. 1 or 2 mail by different Ip address.

#!/bin/bash
set -x

troubleMaker=`grep sasl_username= /var/log/mail.info | awk '{print $7,$9}'| sed -r 's/.*\[([[:digit:].]+)[^=]+=(.*)/ \1,\2 /' | sort | uniq -c | sort | awk '{print $2}' | awk -F , '{print $2}' | sort | uniq -c | awk '{if($1>100)print $2}'`
while IFS= read -r line; do
        pass=`openssl rand --base64 8`
        password=`doveadm pw -s 'ssha512' -p $pass`
        echo "UPDATE mailbox SET password='$password' WHERE username='$line';" |  mysql -u root -pPASS vmail
        echo "Password for user : $line
had to be changed due to too many connexion.
New password is : $pass" | mail -s "Automated action : $line " postmaster@DOMAIN.com
done <<< $troubleMaker
exit 0
  • grep sasl_username= /var/log/mail.info

  • | awk '{print $7,$9}' (client Ip and username)

  • | sed -r 's/.*\[([[:digit:].]+)[^=]+=(.*)/ \1,\2 /' (keep only ipv4 and username, in that order)

  • | sort

  • | uniq -c (remove and count double)

  • | sort

  • | awk '{print $2}' (keep only non counted part, could optimised)

  • | awk -F , '{print $2}' (keep only username)

  • | sort

  • | uniq -c (how many connexion from different IP)

  • | awk '{if($1>100)print $2}' (show only if >100, print username only)

The script should be run once a day just before logrotate.

Tell me what you have done, or would do ?

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Botnet detection & Action

iRedMail ships a script named "find_top_sasl_usernames.sh" to find the top smtp authentication usernames:
https://github.com/iredmail/iRedMail/bl … ernames.sh

Usually spammers just want to send spams with hacked account, so this should be more useful to figure out which account's password was leaked.