Easy use of Sendmail Premium Reporting

Posted on May 31, 2012 by Christophe Wolfhugel

The other day I needed to get some statistics while visiting a customer about how many accounts could eventually have compromised passwords. The first thing I needed to consider is how to determine if an account has been compromised. Our best practice is to consider that one which is being used from many different IP addresses for authenticated SMTP connections is likely compromised and used by spamming bots, so the exercise is simple: count how many different IP addresses are being used by all the customers.

Surprisingly getting this is also very simple. Thanks to the Sendmail Premium Reporting application powered by Splunk, what I thought would be a 20 lines Perl script needing to parse historical log files ended up being a simple one liner (split on the blog onto 3 lines for ease of reading):

# splunk search 'AUTH=server earliest=-2d |
    stats distinct_count(relay) as relays by authid |
    sort 3 relays desc'

authid                     relays
-------------------------- ------
user1@domain.nothere       20
user4@an.other.domain      17
user8@i.was.here           15

This request will extract all “AUTH=server” lines logged by the MTA (i.e. each time an incoming SMTP connection is authenticated we have this line) and simply display a table showing the authenticated user name (“authid”) and the number of different IP addresses (“relays”) being used.

Another funny and again very simple statistic I decided to determine using similar rules: I wanted to get an idea  how long it took to deliver messages to the local mail store for about the last 7 days.  As you can see this is another very simple search:

splunk search 'relay="store.my.domain. *" dsn=2.0.0
    earliest=-7d | top 20 delay' 

 delay   count   percent
-------- ------ ---------
00:00:01 140318 63.515300
00:00:02  30515 13.812692
00:00:00  22909 10.369817
00:00:03   7359  3.331070
00:00:04   3519  1.592884
00:00:05   2148  0.972298
00:00:06   1808  0.818396
00:00:07   1162  0.525982
00:00:08    780  0.353069
00:00:11    698  0.315951
00:00:09    684  0.309614
00:00:10    564  0.255296
00:00:12    500  0.226326
00:00:13    395  0.178798
00:00:14    355  0.160692
00:00:15    338  0.152997
00:00:17    303  0.137154
00:00:18    266  0.120406
00:00:23    259  0.117237
00:00:22    247  0.111805

Now it’s up to you to share your simple tricks with Sendmail Premium Reporting!

About Christophe Wolfhugel

Christophe Wolfhugel, who is an integral part of the EMEA team and based in London, has been involved with mail systems, particularly Sendmail, since 1990. He has designed and deployed complex messaging infrastructures for major customers in the industry and banking sectors across Europe and the U.S. Prior work experience gained Christophe expertise not only on applications, but also with large enterprise IP networks. During the 1990s, Christophe co-founded the first French professional ISP, Oléane, which was subsequently acquired by France Télécom. There, he designed his first large email platform with opensource sendmail. He has also worked as a Network and Systems Engineer at Institut Pasteur, and as a security consultant for HSC, where he implemented Sendmail-based email filtering. Follow me on Twitter: @cwolfhugel.
This entry was posted in Christophe Wolfhugel. Bookmark the permalink.

Leave a Reply