%PDF- %PDF-
Mini Shell

Mini Shell

Direktori : /scripts2/
Upload File :
Create Path :
Current File : //scripts2/find_spammer.sh

#!/bin/bash

# Variables
DEFAULT_LIMIT=1000  # Umbral por defecto
LOG_FILE="/var/log/exim_mainlog"
CONFIG_FILE="/etc/find-spammers.conf"
OUTPUT_FILE="/root/report-spam.txt"
EMAIL_RECIPIENT="sysadmin@sitioshispanos.com"
TMP_DIRS=("/tmp" "/dev/shm")

# Inicializar listas
declare -A CUSTOM_THRESHOLDS
EXCLUDED_ACCOUNTS=()

# Si el archivo de configuración existe, cargarlo
if [[ -f "$CONFIG_FILE" ]]; then
    while IFS= read -r line; do
        [[ "$line" =~ ^# || -z "$line" ]] && continue  # Saltar comentarios y líneas vacías

        if [[ "$line" =~ ^EXCLUDE= ]]; then
            EXCLUDED_ACCOUNTS+=("${line#EXCLUDE=}")
        elif [[ "$line" =~ ^LIMIT= ]]; then
            ACCOUNT=$(echo "${line#LIMIT=}" | cut -d':' -f1)
            LIMIT=$(echo "${line#LIMIT=}" | cut -d':' -f2)
            CUSTOM_THRESHOLDS["$ACCOUNT"]="$LIMIT"
        fi
    done < "$CONFIG_FILE"
fi

YESTERDAY=$(date -d "yesterday" +"%Y-%m-%d")
TODAY=$(date +"%Y-%m-%d")

# Inicializar reporte en texto plano
echo "===================================" > "$OUTPUT_FILE"
echo "📌 DAILY SPAM REPORT - $(date)" >> "$OUTPUT_FILE"
echo "===================================" >> "$OUTPUT_FILE"
echo "" >> "$OUTPUT_FILE"

ALERT_FLAG=0  # Flag para saber si se detectó SPAM

# ==============================
# 1️⃣ DETECTAR ENVÍOS POR SENDMAIL
# ==============================
echo "🔹 1. Top sendmail users:" >> "$OUTPUT_FILE"
grep "<=.*P=local" "$LOG_FILE" | grep -v "root" | grep -E "$YESTERDAY|$TODAY" \
    | awk '{print $6}' | sort | uniq -c | sort -nr > /tmp/sendmail_usage.txt

cat /tmp/sendmail_usage.txt | head -10 >> "$OUTPUT_FILE"
echo "" >> "$OUTPUT_FILE"

# Verificar si alguna cuenta superó el umbral
while read -r COUNT USER; do
    # Verificar si la cuenta está excluida
    if [[ " ${EXCLUDED_ACCOUNTS[*]} " =~ " $USER " ]]; then
        continue
    fi

    # Obtener umbral personalizado o usar el DEFAULT_LIMIT
    USER_THRESHOLD=${CUSTOM_THRESHOLDS["$USER"]:-$DEFAULT_LIMIT}

    # Generar alerta si el usuario supera su umbral específico
    if [[ "$COUNT" -gt "$USER_THRESHOLD" ]]; then
        echo "🚨 ALERT: User $USER exceeded the limit ($COUNT emails, Threshold: $USER_THRESHOLD)!" >> "$OUTPUT_FILE"
        ALERT_FLAG=1
    fi
done < /tmp/sendmail_usage.txt

# ==============================
# 2️⃣ DETECTAR ACCESOS A CORREO
# ==============================
echo "🔹 2. Top email logins:" >> "$OUTPUT_FILE"

# Extraer correctamente los emails eliminando los prefijos "A=dovecot_login:" y "A=dovecot_plain:"
grep "<=.*A=dovecot_" "$LOG_FILE" | grep -E "$YESTERDAY|$TODAY" \
    | awk '{for(i=1;i<=NF;i++) if ($i ~ /A=dovecot_(login|plain):/) print $i}' \
    | sed -E 's/A=dovecot_(login|plain)://g' \
    | sort | uniq -c | sort -nr > /tmp/email_logins.txt

cat /tmp/email_logins.txt | head -10 >> "$OUTPUT_FILE"
echo "" >> "$OUTPUT_FILE"

# Verificar si alguna cuenta superó el umbral
while read -r COUNT EMAIL; do
    # Verificar si la cuenta está excluida
    if [[ " ${EXCLUDED_ACCOUNTS[*]} " =~ " $EMAIL " ]]; then
        continue
    fi

    # Obtener umbral personalizado o usar el DEFAULT_LIMIT
    USER_THRESHOLD=${CUSTOM_THRESHOLDS["$EMAIL"]:-$DEFAULT_LIMIT}

    # Generar alerta si el usuario supera su umbral específico
    if [[ "$COUNT" -gt "$USER_THRESHOLD" ]]; then
        echo "🚨 ALERT: Email account $EMAIL exceeded the limit ($COUNT logins, Threshold: $USER_THRESHOLD)!" >> "$OUTPUT_FILE"
        ALERT_FLAG=1
    fi
done < /tmp/email_logins.txt

# ==============================
# 3️⃣ DETECTAR ENVÍOS DESDE CRON
# ==============================
echo "🔹 3. Emails sent from cron jobs:" >> "$OUTPUT_FILE"
grep "cwd=" "$LOG_FILE" | grep "/var/spool/cron" | grep -E "$YESTERDAY|$TODAY" \
    | awk '{print $3}' | sort | uniq -c | sort -nr | head -10 >> "$OUTPUT_FILE"
echo "" >> "$OUTPUT_FILE"

# ==============================
# 4️⃣ PROCESOS ACTIVOS RELACIONADOS CON EMAIL
# ==============================
echo "🔹 4. Active email-related processes:" >> "$OUTPUT_FILE"
ps aux | grep -E "exim|sendmail|postfix" | grep -v grep >> "$OUTPUT_FILE"
echo "" >> "$OUTPUT_FILE"

# ==============================
# 5️⃣ DETECTAR ARCHIVOS SOSPECHOSOS EN /tmp y /dev/shm
# ==============================
echo "🔹 5. Suspicious files in /tmp and /dev/shm:" >> "$OUTPUT_FILE"
for DIR in "${TMP_DIRS[@]}"; do
    find "$DIR" -type f -name "*.php" -o -name "*.sh" -o -name "*.pl" -o -name "*.py" -o -name "*.cgi" -exec ls -lah {} \; >> "$OUTPUT_FILE"
done
echo "" >> "$OUTPUT_FILE"

# ==============================
# 6️⃣ REVISAR LA COLA DE EXIM
# ==============================
echo "🔹 6. Exim mail queue status:" >> "$OUTPUT_FILE"
exim -bp | exiqgrep -c >> "$OUTPUT_FILE"
echo "" >> "$OUTPUT_FILE"

# ==============================
# 📧 ENVIAR REPORTE SOLO SI HAY ALERTAS
# ==============================
if [[ "$ALERT_FLAG" -eq 1 ]]; then
    mail -s "🚨 SPAM ALERT on $HOSTNAME" "$EMAIL_RECIPIENT" < "$OUTPUT_FILE"
    echo "✅ Alert email sent!"
else
    echo "✅ No alerts detected. No email sent."
fi

# Limpiar archivos temporales
rm -f /tmp/sendmail_usage.txt /tmp/email_logins.txt

Zerion Mini Shell 1.0