Created
December 9, 2017 14:20
-
-
Save troeger/3cbff06f2a3e66c0d4b3eee2ea222fb0 to your computer and use it in GitHub Desktop.
Find hacked mail account used for spam sending (Postfix)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ''' | |
| This script checks the current Postfix mail queue for mails that | |
| where delivered through SMTP authentication. It then shows both | |
| the authentication user name and the sender mail adress. | |
| Since spammers normally don't use a valid sender adress in your | |
| administrative domain, you quickly see the problem. | |
| Run with "python3 checkqueue.py" | |
| ''' | |
| from subprocess import check_output | |
| import json | |
| print("Reading queue data ...") | |
| checked = 0 | |
| matches = 0 | |
| invalid = 0 | |
| for line in check_output(['postqueue','-j'], universal_newlines=True).split('\n'): | |
| checked += 1 | |
| try: | |
| j=json.loads(line) | |
| except Exception as e: | |
| invalid += 1 | |
| pass | |
| queue_id = j['queue_id'] | |
| sender = j['sender'] | |
| try: | |
| for line in check_output(['postcat','-q',queue_id], universal_newlines=True).split('\n'): | |
| if "Authenticated sender:" in line: | |
| matches += 1 | |
| print "{0} should be {1}".format(line, sender) | |
| except: | |
| invalid += 1 | |
| pass | |
| print("{0} checked, {1} invalid, {2} with authenticated sender".format(checked, invalid, matches)) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment