#!/usr/bin/perl
use strict;
use warnings;
use Sys::Syslog;
use Sys::Hostname;

my $LOG = '/var/log/messages';
my $limit = $ARGV[0] ? $ARGV[0] : 1000;
unless ($limit =~ m/[0-9]+/) {
	print "help:
This is a simple script that just looks for users sending outbound emails
not using exim (they should be using exim or an MSA on port 587!). This 
script work with some iptables rules that are currently on webservers only!

Usage:
$0 [count] [skip_notify]
	count: this should be an interger defaults to 1000
	skip_notify: set this if you are running this manually

UTSL (read the code for more info)! \n";
# UTSL = use the source luke
}
my $notified_check = not ( exists $ARGV[1] ? $ARGV[1] : 0 );

open(LOG, '<', $LOG) or exit 0;
my %counts;
my %notified;
while (<LOG>) {
	chomp;
	if (m/SMTP: .*UID=(\d+)/) {
		$counts{$1} += 1;
	} elsif ($notified_check and m/SMTP_NOTIFIED: UID=(\d+)/) {
		$notified{$1} += 1;
	}
}
close(LOG);

my @lines;
for my $uid (keys %counts) {
	next unless $counts{$uid} > $limit;
	next if exists $notified{$uid};
	my $user;
	for(my $i=0; $i<100 and ! $user; $i++) {
		my $user_test=getpwuid($uid+(65536*$i));
		$user = $user_test if defined $user_test and (-f "/etc/httpd/conf/virtual/9_$user_test.conf" or -f "/etc/httpd/conf/virtual/$user_test.conf");
	}
	next unless $user;
	push(@lines, sprintf ("%-40s (%s) = %s", $user, $uid, $counts{$uid}));
	syslog('info', "SMTP_NOTIFIED: UID=$uid") if $notified_check;
}
exit 0 unless scalar(@lines); # like this will ever happen?!

print "Hi Abuse,

It's $0 again! Here are some users I think are spamming:

".join("\n", @lines)."

Ta!\n";