The "maillog" file on your server tracks a lot of info about what happens with your mail server.
In most cases, login information will be tracked. If it's following the standards, the following will give you a list of email account logins, sorted by how many different IP addresses have accessed that account, and including the list of those IP addresses.
:-) ...how 'bout THEM beans?
awk '/LOGIN,/ {if (index(i[$12], $13) == 0) i[$12]=i[$12] " " $13} END {for(p in i) {print split(i[p], a, " ") " " p " " i[p]}}' maillog|sort -n
Now... please realize, some people check their email from their mobile phones. Those phones use proxy server banks. The IP address of the proxy server will change. So you may get 'false positives' in the output, for users that check their email from their phones.
They're pretty obvious when you see them - all of the ip addresses will be in the same range.
BUT... just because a range of IPs hits the mailbox doesn't necessarily mean it's a mobile phone proxy array.
Use "whois" to find out if that's a cellphone or a botnet.
No comments:
Post a Comment