$ fgrep "tcpserver: pid" "/var/log/qmail/smtp/current" | awk {'print $6'}| sort | uniq -c| sort -rn |less
The output will be similar to:
59 72.15.222.65
42 63.251.135.109
38 66.211.168.231
33 63.251.135.115
29 63.251.135.74
25 213.63.26.144
25 194.65.138.99
23 63.251.135.75
16 194.65.5.228
15 93.102.93.77
15 195.23.124.22
13 212.55.154.23
12 213.91.163.191
12 212.55.154.24
11 212.55.154.21
11 198.31.62.64
10 208.65.131.106
9 98.244.216.176
9 85.243.160.139
...
The first column shows the number of tcp connections that have been established and the second column the source IP. If the number of messages from those sources are high and suspicious then you need to block those sources.
No comments:
Post a Comment