Setting Log Watch Options

Denial of service (DoS) and directory harvesting attacks are brute-force attacks that cause a sharp spike in interactions with the mail server. When the mail server's message log activity exceeds specific levels, PureMessage generates a report that is mailed to the "pmx6" user.

The pmx-mlog-watch utility is run as a scheduled job that monitors the message_log for anomalous activity. The thresholds at which actions are triggered are set on the Local Services: Perimeter Protection Options page. If anomalies are detected, a report is generated that describes the activity and the envelope sender or relay that was the cause. This report is emailed to an administrator (by default, the "pmx6" user). Alternatively, it can be piped into another program such as pmx-mlog-react, which creates entries in the Blacklisted Hosts and Blacklisted Senders lists.

To set the log watch options:

  1. Change the Log Watch Options text boxes as required.

    The text boxes are:

    • Scan Window (min): The time frame (in minutes) during which PureMessage scans the log for anomalies. For example, if you accept the default of 30 minutes, PureMessage will go back and scan the log to see if any of the conditions in the Log Watch Options have been exceeded within a half-hour period.
    • Max Lines: The maximum number of lines to be scanned at one time (each line corresponds to one message). This prevents the job from running too long if a lot of messages were received and the number specified for the Scan Window is large. If the number of lines is met or exceeded, a warning is written to the log that is specified in the log_to setting in the pmx.conf configuration file (by default, pmx_log). The default is 10,000 lines.
    • Max Recipients: The maximum number of recipients a sending relay can specify in one SMTP transaction. If this number is met or exceeded, the "Recipients" counter is incremented for the relay. The default is 50 recipients.
    • Max Message Size (MB): If a sender sends a message that reaches or exceeds this value, the "Message Size" counter is incremented for the sender. The default is 10 MB.
    • Relays: The number of messages that can be received from one relay during the time period specified in the Scan Window text box. If a relay sends more than this number of messages, a report is generated. The default is 5,000 messages.
    • Senders: The maximum number of messages that can be received from one sender during the time period specified in the Scan Window text box. If a sender sends more than this number of messages, a report is generated. The default is 5,000 messages.
    • Recipients: The maximum number of recipients that can be registered by the counter during the time period specified in the Scan Window text box. If the recipients counter is triggered more than the specified number of times in the specified time period, a report is generated. The default is 5,000 triggers.
    • Message Size: The maximum number of messages that can exceed the specified message size during the time period specified in the Scan Window text box. If the message size counter is triggered more than the specified number of times in the specified time period, a report is generated. The default is 5,000 triggers.
  2. Once you have finished making changes, click Save.
    The settings are saved in /opt/pmx6/etc/logwatch.conf