What domain is sending most emails

Cant find any information in panel about who is sending most e-mails.
Also no option to limit domain hourly mails in panel…

Really no option to look what domain is sending most emails??

Hi vmk

Yes I believe that it correct

There are some ssh commands which can be run to give an answer which another forum member posted but nothing which would show in control panel

Also, I thought IW were changing mail but I believe this has been halted at moment as most reasons for change have been resolved

Many thanks

John

Any exact information about this command?

There is almost no information about this if You search interworx and qmail…like nobody is not using it

Hi vmk

I did not write this and think it may have been Justec but apologies if it was another forum member. It was a few years ago

Please see below, which woudl show emails received per domain and I do not think it would take a lot to change it to show emails sent per domain

Many thanks

John

cat /var/log/smtp/*.s /var/log/smtp/current |
grep ‘CHKUSER accepted rcpt’ |
cut -d ’ ’ -f 10 | cut -d ‘@’ -f 2 | sed ‘s/>$//g’ |
sort | uniq -c | sort -rn

Ok this is not what is needed this time.

Hi vmk,

I took a crack at modifying the above script to look for sent emails in /var/log/send/. The issue is that the send logs track both incoming and outgoing mail, so there would be a bunch of domains in there that weren’t on the server. So, I simply tried to remove all of those domains by comparing it to the list of domains found on the server. It’s probably not perfect, but it should get you a decent idea of what is being sent out:

#!/bin/bash

OUTPUT=$(cat /var/log/send/*.s /var/log/send/current | grep "bytes" | cut -d' ' -f 8 | cut -d '@' -f 2 | sed 's/>$//g' | grep -v '\[' | grep -v '<' | sort | uniq -c | sort -rn)

DOMAINS=$(nodeworx -u --controller Siteworx --action listDomainAccounts -n -o yaml | grep '  domain: ' | cut -d ':' -f 2 | sed 's/^ //g')

for domain in ${DOMAINS[@]}; do
   echo "$OUTPUT" | grep $domain
done

Let me know if you have any questions and if the script works for you. To be honest, I don’t have access to a server with a ton of email on which to try this, so it’s been through minimal testing.

Hope that helps.

Brandon

1 Like

This is something…thanks a lot :slight_smile:
Thei should put something like that into panel.

Hi

@Brandon - kudos to you

@vmk I am not sure why people want to view top senders, top incoming etc… We have always had this facility with our dedicated enterprise mail platforms and I never look at them (see pciture for a small sample of the details from overview - there are more but I do not have the time to screenshot all)

I think it is mnore important that a rate limit be possible on outgoing emails per user/domain

The enterprise mail platforms can rate limit per user, or domain and it is calculated by time, so a user or domain cannot say send 1000 emails per hour over 24 hours if say the rate limit was set to 10000 in a 24 hour period.

The rate limit would not stop emails been sent, it takes the actions we decide, which is normally to send 1 email per hour and notifies us by email of the abuse.

So rate limit to me is more important then who or which domain is sending the most emails on a shared platform

Many thanks

John

@d2d4j The ability to rate limit/monitor outgoing mail is a common request that is difficult with our current qmail implementation. Postfix is still on the radar for that very reason. I know that the IW6 -> IW7 upgrade path has taxed our development resources to an extent, but I believe it will be returned to later.

@vmk I’ll see what I can do to make some movement on that front. As I mentioned above, our dev resources at the moment are stretched pretty thin, but I’ll make sure the request is heard.

1 Like

This is my real problem, unknown users…

On cpanel server got no problem to detect problem source but on interworx it’s like mission impossible…
Any ideas?

If an address is sending messages to unknown users, it should be possible to detect that within the logs at /var/log/send. The response is usually something to effect of “no_mailbox_here” and the lines around that should let you know who sent the email. For example:

@40000000605902840924bc84 info msg 37998671: bytes 1037 from <[email protected]> qp 10800 uid 108
@40000000605902840977f91c starting delivery 64: msg 37998671 to remote [email protected]
@40000000605902840977fd04 status: local 0/10 remote 1/255
@40000000605902861dfcfaa4 delivery 64: failure: Sorry,_no_mailbox_here_by_that_name._(#5.1.1)/
@40000000605902861dfd0274 bounce msg 37998671 qp 9961
@40000000605902861dfd065c end msg 37998671

So in the above example, you’ll notice on line four, that delivery 64 failed with a ‘no_mailbox_here’ message. Working our way backwards, we want to find out who sent delivery 64. On line two, we can see the delivery 64 is being sent to [email protected] and the message id is 37998671, on line one, we see that the user [email protected] sent msg 37998671. [email protected] is the culprit.

Please note, the output from /var/log/send/current can be a bit more “busy” than the above example. It’s fairly rare that the logging will be all completely together in one chunk (except on a not busy email server). Having said that, the information should be in close proximity to itself. Also note, /var/log/send does reuse msg and delivery ids, so you’ll want to ensure that your search puts you near the original no_mailbox_here message.

This type of searching might be able to be scripted, though I do not have access to a server with enough mail logging to actually attempt to build something like that.

Hope that helps!

Hi brandon,

Forget to write that i found now domain who caused issue by searching no_mailbox_here.
Not best solution because it’s not clear information but still helped out this time.

Thanks.