%PDF- %PDF-
Direktori : /scripts2/ |
Current File : //scripts2/find_spammer.sh |
#!/bin/bash # Variables DEFAULT_LIMIT=1000 # Umbral por defecto LOG_FILE="/var/log/exim_mainlog" CONFIG_FILE="/etc/find-spammers.conf" OUTPUT_FILE="/root/report-spam.txt" EMAIL_RECIPIENT="sysadmin@sitioshispanos.com" TMP_DIRS=("/tmp" "/dev/shm") # Inicializar listas declare -A CUSTOM_THRESHOLDS EXCLUDED_ACCOUNTS=() # Si el archivo de configuración existe, cargarlo if [[ -f "$CONFIG_FILE" ]]; then while IFS= read -r line; do [[ "$line" =~ ^# || -z "$line" ]] && continue # Saltar comentarios y líneas vacías if [[ "$line" =~ ^EXCLUDE= ]]; then EXCLUDED_ACCOUNTS+=("${line#EXCLUDE=}") elif [[ "$line" =~ ^LIMIT= ]]; then ACCOUNT=$(echo "${line#LIMIT=}" | cut -d':' -f1) LIMIT=$(echo "${line#LIMIT=}" | cut -d':' -f2) CUSTOM_THRESHOLDS["$ACCOUNT"]="$LIMIT" fi done < "$CONFIG_FILE" fi YESTERDAY=$(date -d "yesterday" +"%Y-%m-%d") TODAY=$(date +"%Y-%m-%d") # Inicializar reporte en texto plano echo "===================================" > "$OUTPUT_FILE" echo "📌 DAILY SPAM REPORT - $(date)" >> "$OUTPUT_FILE" echo "===================================" >> "$OUTPUT_FILE" echo "" >> "$OUTPUT_FILE" ALERT_FLAG=0 # Flag para saber si se detectó SPAM # ============================== # 1️⃣ DETECTAR ENVÍOS POR SENDMAIL # ============================== echo "🔹 1. Top sendmail users:" >> "$OUTPUT_FILE" grep "<=.*P=local" "$LOG_FILE" | grep -v "root" | grep -E "$YESTERDAY|$TODAY" \ | awk '{print $6}' | sort | uniq -c | sort -nr > /tmp/sendmail_usage.txt cat /tmp/sendmail_usage.txt | head -10 >> "$OUTPUT_FILE" echo "" >> "$OUTPUT_FILE" # Verificar si alguna cuenta superó el umbral while read -r COUNT USER; do # Verificar si la cuenta está excluida if [[ " ${EXCLUDED_ACCOUNTS[*]} " =~ " $USER " ]]; then continue fi # Obtener umbral personalizado o usar el DEFAULT_LIMIT USER_THRESHOLD=${CUSTOM_THRESHOLDS["$USER"]:-$DEFAULT_LIMIT} # Generar alerta si el usuario supera su umbral específico if [[ "$COUNT" -gt "$USER_THRESHOLD" ]]; then echo "🚨 ALERT: User $USER exceeded the limit ($COUNT emails, Threshold: $USER_THRESHOLD)!" >> "$OUTPUT_FILE" ALERT_FLAG=1 fi done < /tmp/sendmail_usage.txt # ============================== # 2️⃣ DETECTAR ACCESOS A CORREO # ============================== echo "🔹 2. Top email logins:" >> "$OUTPUT_FILE" # Extraer correctamente los emails eliminando los prefijos "A=dovecot_login:" y "A=dovecot_plain:" grep "<=.*A=dovecot_" "$LOG_FILE" | grep -E "$YESTERDAY|$TODAY" \ | awk '{for(i=1;i<=NF;i++) if ($i ~ /A=dovecot_(login|plain):/) print $i}' \ | sed -E 's/A=dovecot_(login|plain)://g' \ | sort | uniq -c | sort -nr > /tmp/email_logins.txt cat /tmp/email_logins.txt | head -10 >> "$OUTPUT_FILE" echo "" >> "$OUTPUT_FILE" # Verificar si alguna cuenta superó el umbral while read -r COUNT EMAIL; do # Verificar si la cuenta está excluida if [[ " ${EXCLUDED_ACCOUNTS[*]} " =~ " $EMAIL " ]]; then continue fi # Obtener umbral personalizado o usar el DEFAULT_LIMIT USER_THRESHOLD=${CUSTOM_THRESHOLDS["$EMAIL"]:-$DEFAULT_LIMIT} # Generar alerta si el usuario supera su umbral específico if [[ "$COUNT" -gt "$USER_THRESHOLD" ]]; then echo "🚨 ALERT: Email account $EMAIL exceeded the limit ($COUNT logins, Threshold: $USER_THRESHOLD)!" >> "$OUTPUT_FILE" ALERT_FLAG=1 fi done < /tmp/email_logins.txt # ============================== # 3️⃣ DETECTAR ENVÍOS DESDE CRON # ============================== echo "🔹 3. Emails sent from cron jobs:" >> "$OUTPUT_FILE" grep "cwd=" "$LOG_FILE" | grep "/var/spool/cron" | grep -E "$YESTERDAY|$TODAY" \ | awk '{print $3}' | sort | uniq -c | sort -nr | head -10 >> "$OUTPUT_FILE" echo "" >> "$OUTPUT_FILE" # ============================== # 4️⃣ PROCESOS ACTIVOS RELACIONADOS CON EMAIL # ============================== echo "🔹 4. Active email-related processes:" >> "$OUTPUT_FILE" ps aux | grep -E "exim|sendmail|postfix" | grep -v grep >> "$OUTPUT_FILE" echo "" >> "$OUTPUT_FILE" # ============================== # 5️⃣ DETECTAR ARCHIVOS SOSPECHOSOS EN /tmp y /dev/shm # ============================== echo "🔹 5. Suspicious files in /tmp and /dev/shm:" >> "$OUTPUT_FILE" for DIR in "${TMP_DIRS[@]}"; do find "$DIR" -type f -name "*.php" -o -name "*.sh" -o -name "*.pl" -o -name "*.py" -o -name "*.cgi" -exec ls -lah {} \; >> "$OUTPUT_FILE" done echo "" >> "$OUTPUT_FILE" # ============================== # 6️⃣ REVISAR LA COLA DE EXIM # ============================== echo "🔹 6. Exim mail queue status:" >> "$OUTPUT_FILE" exim -bp | exiqgrep -c >> "$OUTPUT_FILE" echo "" >> "$OUTPUT_FILE" # ============================== # 📧 ENVIAR REPORTE SOLO SI HAY ALERTAS # ============================== if [[ "$ALERT_FLAG" -eq 1 ]]; then mail -s "🚨 SPAM ALERT on $HOSTNAME" "$EMAIL_RECIPIENT" < "$OUTPUT_FILE" echo "✅ Alert email sent!" else echo "✅ No alerts detected. No email sent." fi # Limpiar archivos temporales rm -f /tmp/sendmail_usage.txt /tmp/email_logins.txt