Watching your Kerio Connect Mail Log

You probably have a pretty good idea of how many messages go in and out of your mail server every day. If there was a sudden burst in activity, you'd want to know about it, right? An unusual number of messages going out could indicate that a user account has been compromised and is now being used to send spam. Messages being relayed by domains that shouldn't be allowed to do that would certainly indicate that something was very wrong. Finally, an excessive number of DSN's (Delivery Service Notifications) could indicate spam or network problems.

This script is designed to read the Kerio mail log and report on these types of problems. I use a CPAN module (Date::Manip) that you may need to install, but other than that the Perl is simple and straightforward.

I'd suggest running this once per day. Modify the variables at the beginning to meet your specific environment and give it a whirl.


#!/usr/bin/perl
use Date::Manip;
@VALID_DOMAINS=("localhost","yourdomain.com","yourotherdomain.com");
#
# You might consider leaving out localhost so that 
# you always get a list of those emails
# Definitely leave it out if nothing on the server SHOULD send email!
#
$PERIOD=60 * 60 * 24;
#
# One day expressed as seconds - you can change this if desired
# You might need to make it per hour (60 * ^0) if your log rotation is daily
#
$WARN_TOTAL=3000;
$WARN_OUT=400;
$WARN_IN=2000;
$WARN_DSN=20;
#
# set above variables to 0 if you always want a count
#
$LOGDIR="/opt/kerio/mailserver/store/logs";
# 
# change for your server
#

# Nothing else you need to modify..
#
open(LOG,"$LOGDIR/mail.log");
@log=<LOG>;close LOG;
$first="";

foreach(@log) {
  next if not  /Service: [A-Z]*, From:/;
  $total++; 
  push @dsn,$_ if /Service: DSN/;
  $first=$_ if not $first;
  $last=$_;
  $ourdomains=0;
  $message=$_;
  $valid=0;
  foreach (@VALID_DOMAINS) {
    $ourdomains=1 if $message=~ /$_/i;
    $OUT++ if $message=~ /From: <[^ ]*.$_>,/i;
    $valid++ if $message=~ /From: <[^ ]*.$_>,/i;
    $IN++ if $message=~ /To: <[^ ]*.$_>,/i;
    $valid++ if $message=~ /To: <[^ ]*.$_>,/i;
    $valid++ if $message=~ /Service: DSN/;
  }
  push @bad_message, $_ if not $valid;
  push @badrelay,$_ if not $ourdomain;
   
}
$first=~s/.\s+Recv.*//;
$first=~s/.//;
$last=~s/.\s+Recv.*//;
$last=~s/.//;
$f=UnixDate(ParseDate($first),"%s");
$l=UnixDate(ParseDate($last),"%s");
$periods=($l - $f)/$PERIOD;;
$total_per_period=$total/$periods;

printf "Email flood %d total messages per period.\n", $total_per_period if ($total_per_period > $WARN_TOTAL);
printf "Outgoing messages %d per period.\n",$OUT/$periods if $OUT/$periods > $WARN_OUT;
printf "Incoming  messages %d per period.\n",$IN/$periods if $IN/$periods > $WARN_IN;

print "Bad stuff:\n" if scalar @bad_message;
foreach (@bad_message) {
   print;
}
print "Bad relay:\n" if scalar @bad_relay;
foreach (@bad_relay) {
   print;
}
if (scalar @dsn > $WARN_DSN) {
print "DSN's:\n";

foreach (@dsn) {
   print;
}
}
 

That's it. Further modification might be to have this send the information by email to you, perhaps with the full log attached if certain criteria is met. You might also want to attach or dig into other logs if exceptions here indicate that need, but as it stands this could be very useful in warning you of unexpected conditions.

As usual, use at your own risk, though there is nothing here that actually changes anything.

Sample output:

Email flood 323 total messages per period.
Outgoing messages 17 per period.
Incoming  messages 314 per period.
DSN's:
[05/Sep/2012 06:35:16] Recv: Queue-ID: 50472ae4-000001e4,
Service: DSN, From: <>, To: <[email protected]>,
Size: 2336, Report: failed, 
Subject: Returned email: Comment at /Unixart/recursivegrep.html, 
Msg-Id: <[email protected]> 

[05/Sep/2012 21:27:22] Recv: Queue-ID: 5047fbfa-0000036e, Service: DSN,
From: <>, To: <[email protected]>, 
Size: 1873, Report: failed, 
Subject: Returned email: Foo, 
Msg-Id: <[email protected]> 

[13/Sep/2012 04:17:15] Recv: Queue-ID: 5051968b-00001144, Service: DSN, 
From: <>, To: <[email protected]>, 
Size: 2597, Report: failed, 
Subject: Returned email: Automated message: Subscription verification request, 
Msg-Id: <[email protected]>
 


Got something to add? Send me email.





(OLDER) <- More Stuff -> (NEWER)    (NEWEST)   

Printer Friendly Version

-> -> Watch your Kerio Connect mail log with this Perl script




Increase ad revenue 50-250% with Ezoic


More Articles by

Find me on Google+

© Anthony Lawrence



Kerio Connect Mailserver

Kerio Samepage

Kerio Control Firewall

Have you tried Searching this site?

Unix/Linux/Mac OS X support by phone, email or on-site: Support Rates

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.

Contact us





Computers are useless. They can only give you answers. (Pablo Picasso)

The object-oriented model makes it easy to build up programs by accretion. What this often means, in practice, is that it provides a structured way to write spaghetti code. (Paul Graham)








This post tagged: