[thelist] Qmail Log Analyzer Recommendation

Norman Bunn norman.bunn at craftedsolutions.com
Wed Sep 10 09:53:11 CDT 2008

David Kaufman wrote:
> Hi Norman,
> "Norman Bunn" <norman.bunn at craftedsolutions.com> wrote:
>> I am fruitlessly trying to determine the source of some spam that is
>> coming from or through my server.  The hosting company has suggested I
>> get a qmail log analyzer.  Does anyone have a recommendation on one that
>> works well for them?
> I don't analyze my email logs, myself, but:
>   here are #1 thru 10 of about 914 that Google knows of...
>   <http://www.google.com/search?hl=en&q="qmail+log+analyzer">
> I mean to say that there are lots of them, but I highly doubt that *any* 
> amount of email server log analysis will help you to "determine the source 
> of some spam".  It is (as you've noted) a fruitless endeavor.  Spammers are 
> very good at preventing you from determining the sources of their messages. 
> And these days, when you do track some spam to the IP address which sent 
> it, and identify who owns that computer, you learn that they don't really 
> control it.  Most spam is sent by bots, usually broadband-connected and 
> virus-infected computers that are controlled by a "bot-net".  The computers 
> themselves are owned and operated by unsuspecting users who have (among 
> millions of others) unwittingly become the tools of the owner of the 
> bot-net.
> So while you *may* find the innocent and unwitting pawn of some spammers 
> bot-net, what's the point?  Isn't it a far better use of your time and 
> effort to install, configure and maintain very good spam-filters and 
> block-lists to protect your servers and workstations from spam in the first 
> place, so that you don't have to care?
> Working the other direction, if you want to track down the *advertiser* of 
> a spam you've received (rather than the bot-net of the professional spammer 
> he paid to *send* his offer) simply follow the money.  Respond to the ad. 
> Offer to buy the product or service.  See who you have to pay.  Your credit 
> card company (and/or the police) should be able to help you identify who's 
> caching the checks, especially if the goods are stolen, the service 
> illegal, etc.  Even then, the trail often leads all over the planet, making 
> any meaningful investigation, lawsuit or prosecution all but impossible.  I 
> prefer to route as much spam as possible to the bit bucket, rather than 
> obsessing over who sent it, and pondering all the medieval punishments that 
> all spammers so dearly deserve.
> -dave

Thanks for your detailed response and I agree in principal.  My problem 
is my server is home to 70+ domains which are using its STMP service to 
deliver email from their hundreds, if not thousands, of email accounts.  
I can patch all my scripts with the latest versions, update filters, and 
more, but all I end up with is the server's shared IP address being 
flagged by Spamhaus and such as being a source of spam, when it may very 
well be a client's PC(s) causing the problem.  I need a way to isolate 
the cause or I need a way to filter outgoing email.  Can you (or anyone 
else) suggest a product that I can install on my server that can help 
filter the spam coming via SMTP or ID the culprits?  It is Redhat Linux 
running a Plesk 8.0.1 control panel.

More information about the thelist mailing list