How do I monitor the rate of email sent on a Postfix email Ubuntu server?

[Joseph Odell]

Hi,

I'm new to using OSSEC. We have it deployed monitoring some websites. These websites have the ability to let users subscribe to email updates, and so have a postfix relay on them. One of these sites was compromised and started spamming out emails to people. We'd like to monitor the rate of emails leaving the server and trigger postfix to shut down in the event of too many emails being sent in a given period time (probably about 400 emails in 2 minutes would suffice). Any help you could provide on this issue would be much appreciated!

[theresa mic-snare]

Hi Joseph,

You're probably looking for something like this:

email_maxperhour
Specifies the maximum number of e-mails to be sent per hour. All emails in excess of this setting will be queued for later distribution.
Default: 12
Allowed: Any number from 1 to 9999

Note
At the end of the hour any queued emails will be sent together in one email. This is true whether the mail grouping is enabled or disabled.

Regards,
theresa

[dan (ddp)]

If there isn't a rule for an email being sent already, you could
create one. Then create a frequency rule to look for "excessive"
emails.

For example, here's a basic decoder (based on an OLD log message I
found online[0]):
<decoder name="postfix-info">
<parent>postfix</parent>
<regex offset="after_parent">to=\p(\S+)\p, \.+ status=(\S+) </regex>
<order>dstuser, status</order>
</decoder>

And a rule would be something like:
<rule id="XXXXX" level="1">
<decoded_as>postfix</decoded_as>
<status>sent</status>
<description>email sent</description>
</rule>

<rule id="XXXXX+1" level="10" frequency="8" timeframe="120">
<if_matched_sid>XXXXX</if_matched_sid>
<description>10+ emails send in 120s</description>
</rule>

These rules are untested, and not the best. I didn't see a srcip I
could grab from the log message, so setting same_source_ip isn't
possible. Perhaps using the following log would be the better way to
go:

postfix/smtpd[1434]: 4F9D116F7F7: client=localhost[127.0.0.1]

You could decode the client IP (127.0.0.1) as the srcip and then set
the same_source_ip option in the frequency rule.

Also, the log message was from 2004, and I have no idea how the logs
have changed since then. Newer log samples would be awesome (for
pretty much all sources)!

[0]: http://www.onlamp.com/pub/a/onlamp/2004/01/22/postfix.html

> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[Michael Starks]

I sense the potential for an infinite loop and/or a DoS. If OSSEC sends
emails for sending a lot of emails, it could contribute to the problem.
I would approach this another way. Is FIM set up on the web site? Were
there lots of invalid login attempts? What other indicators of
compromise were there?