Re: [Declude.JunkMail] Is this unique?
Scott - We are getting a lot of spam with this text in the email: x-mac-type=4A504547; x-mac-creator=4A565752 Question - can I filter on this or is this a common MAC string? Thanks -Nick Hayer --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Is this unique?
Nick Hayer wrote: Scott - We are getting a lot of spam with this text in the email: x-mac-type=4A504547; x-mac-creator=4A565752 Question - can I filter on this or is this a common MAC string? These are file attachments that have come from a Mac email client, probably Outlook Express. The mac doesn't use file extensions to determine the type of a file (for example a JPEG), instead it uses a type ID and a creator ID which are part of the files info (including the created date, modified date, etc). The ID's a are 32 bit longs and are normally ASCII coded for readability. In your case all the creator ID's are 4A565752, which is 'JVWR' and if memory serves that is the code for JPEG Viewer a shareware image viewer, and the file types are 47494666 ('GIFf') and 4A504547 ('JPEG'), which makes sense as all the file names say .gif and .jpg Erminio --- [This E-mail has been scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Is this unique?
On 25 Aug 2004 at 15:18, E. Ballerini wrote: Hi Erminio - I saw this explanation on a google search - my question is are the id's unique to this mac client eg ok to filter on? Thanks -Nick Hayer These are file attachments that have come from a Mac email client, probably Outlook Express. The mac doesn't use file extensions to determine the type of a file (for example a JPEG), instead it uses a type ID and a creator ID which are part of the files info (including the created date, modified date, etc). The ID's a are 32 bit longs and are normally ASCII coded for readability. In your case all the creator ID's are 4A565752, which is 'JVWR' and if memory serves that is the code for JPEG Viewer a shareware image viewer, and the file types are 47494666 ('GIFf') and 4A504547 ('JPEG'), which makes sense as all the file names say .gif and .jpg Erminio --- [This E-mail has been scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Is this unique?
Nick Hayer wrote: On 25 Aug 2004 at 15:18, E. Ballerini wrote: Hi Erminio - I saw this explanation on a google search - my question is are the id's unique to this mac client eg ok to filter on? Thanks -Nick Hayer As I understand it, the combination x-mac-type=4A504547; x-mac-creator=4A565752 means nothing more than that a Mac e-mail client has send an email with a .jpg picture to you. Maybe you can make a filter for it and give it just enough points to tip the balance? (Assuming it has other spam behaviour) Erminio --- [This E-mail has been scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Chinese vs NONEnglish
While the NONENGLISH test is pretty effective (99%+) it does trip up occasionally. Our company does some business internationally so it's a tough area. Unfortunately for me the NONENGLISH test has false positives on the company that owns me (Australian company) and some of my own test mail as well as occasional others. Especially UTF-8 encoded stuff. So I can only assign a low-moderate weight to it. Discussion on NONENGLISH: http://www.mail-archive.com/[EMAIL PROTECTED]/msg18854.html I went round and round on this Chinese language mail (and Korean too), Message Sniffer wasn't effective, text filters weren't effective (no English text). Spamdomains occasionally hurt some legit Chinese English language mail and couldn't be assigned a punishment weight. I then tried to check for GB2312 encoding in the header to try to punish the Chinese mail. This is not a great indicator either. The English ASCII characters are a subset of GB2312. So a computer with a character set of GB2312 can and does send me a message in English yet has a header code of GB2312. Looking at GB2312 character set, it uses two bytes to store the character information. So someone else on this list created filters to check for Chinese. Since that person is the author, I don't feel comfortable sharing his work on these filters. Maybe he'll step out and volunteer it. Basically it looks for certain high bit characters that are likely to occur in Chinese and certain character sets. It's compounded with some END statements to minimize false positives. It's as near to 100% effective as a filter can be, and I am able to assign it a high punishment weight. Lastly it's a filter not a external test. In my original e-mail I said I have an external program that looks for a subject line that is all caps. I consider this to be a potential indicator of Nigerian/419 e-mails and use it in a filter I am working on. Scott Fisher Director of IT Farm Progress Companies [EMAIL PROTECTED] 08/24/04 05:23PM I would be curious to hear on this as well. It's my understanding that the non-english test in declude should catch this (chinese in the subject)? Why the need for an external test? Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, MRTG Integration, and Log Parsers. Keith Johnson writes: Scott Fisher, I heard you mention once that you made a filter to catch Chinese characters in the subject, we have a few customers that get nailed by these often. Was wondering if you could share your thoughts. Thanks, Keith -Original Message- From: [EMAIL PROTECTED] on behalf of Scott Fisher Sent: Tue 8/24/2004 12:12 AM To: [EMAIL PROTECTED] Cc: Subject: [Declude.JunkMail] External Test for Subject is Upper Case I've made an external test to test if the Subject is all upper case (or punctuation). If anyone is interested, let me know and I'll e-mail you a copy. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Bypassing mime segments revisit
I know this has been discussed before several times but is there any plan to allow body filters to bypass mime segments except if it is text/html? The majority of my false positives are words (mainly porn related) found in the encoding of jpegs and gifs, especially on commonly misspelled variations. I was able to work around the problem with PDFs and MS Office documents by ending the tests based on those content types but obviously that is not an option with images. Aside from helping to limit false positives it would be a good way to reclaim some cpu cycles as well. Anyone have a way to counter this problem? Rick Davidson National Systems Manager North American Title Group - --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Bypassing mime segments revisit
I know this has been discussed before several times but is there any plan to allow body filters to bypass mime segments except if it is text/html? Yes; this is something that we would like to do. However, accurate MIME decoding is very complex (and therefore becomes a large project). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Sending attachments to the list
Jeff and all, do not attempt to send attachments other than text files to the list. John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Comments in ipfile filter?
Can the ipfile filter list contain comments between lines. Will this cause the filter to stop at the first comment? Are comments ignored? Example: Xxx.xxx.xxx.xxx #comment Xxx.xxx.xxx.xxx Eddie Cornejo --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Comments in ipfile filter?
Can the ipfile filter list contain comments between lines. Will this cause the filter to stop at the first comment? Are comments ignored? Example: Xxx.xxx.xxx.xxx #comment Xxx.xxx.xxx.xxx The comments are allowed, and processing will continue -- so in this case, 2 lines would be processed, and the comment line in the middle would be ignored. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Incoming message
Title: Message Ok, so who's the list member which is infected by the NetSky virus??? From: stmary-1-306.atm-cip.trvnet.net [64.71.64.38] AS: 64.71.64.0/19 AS14814 Twin Rivers Valley Internet Serv Livermore/Iowa The virus is being sent to the list and to the list members. Andrew. -Original Message-From: Jkratka [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 25, 2004 11:58 AMTo: Declude.JunkMailSubject: [Declude.JunkMail] Incoming message
RE: [Declude.JunkMail] Incoming message
Since this virus has been around since May 2004 (and there have been virus definitions that detect it since then as well), a better question, might be why didn't Declude catch this before it was sent to everyone on the list? --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Incoming message
Since this virus has been around since May 2004 (and there have been virus definitions that detect it since then as well), a better question, might be why didn't Declude catch this before it was sent to everyone on the list? Because no virus was sent to the list. :) The E-mail was a 0-byte attachment -- most likely, a mail client or mailserver that it went through has an on-access scanner that deleted the atfachment, but not the E-mail. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Log Information
Hi, Is there a log file analyzer that will report on messages received by hour. I am interested in knowing how many e-mails came in between 3 and 4 and then between 4 and 5 etc. Thanx Goran Jovanovic The LAN Shoppe --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] User vs Domain .junkmail files
Hi, I have a client who wants me to process their mail (store and forward) for Anti-Virus but only want a few users in the domain to have their mail processed for SPAM. So I was thinking that I would put IGNORE actions in the $default$.junkmail files and create the individual user.junkmail with the appropriate HOLD/DELETE etc actions in it. My big question is which .junkmail file has precedence the user or domain? Also I know that in this configuration all the mail for the domain in question has to be processed for SPAM and then most of it ignored because of the IGNORE actions in the domain .junkmail file. Is there anyway to prevent the mail going to users who do not have a user.junkmail file from being processed at all? I think I am out of luck here. Thanx Goran Jovanovic The LAN Shoppe --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] User vs Domain .junkmail files
My big question is which .junkmail file has precedence the user or domain? The per-user config files have precedence. Also I know that in this configuration all the mail for the domain in question has to be processed for SPAM and then most of it ignored because of the IGNORE actions in the domain .junkmail file. Is there anyway to prevent the mail going to users who do not have a user.junkmail file from being processed at all? I think I am out of luck here. They will probably still be scanned, but there should be only a minimal performance hit as a result. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] User vs Domain .junkmail files
Scott, They will probably still be scanned, but there should be only a minimal performance hit as a result. Wouldn't the performance hit be the same as any mail being scanned? Goran Jovanovic The LAN Shoppe -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Wednesday, August 25, 2004 7:47 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] User vs Domain .junkmail files My big question is which .junkmail file has precedence the user or domain? The per-user config files have precedence. Also I know that in this configuration all the mail for the domain in question has to be processed for SPAM and then most of it ignored because of the IGNORE actions in the domain .junkmail file. Is there anyway to prevent the mail going to users who do not have a user.junkmail file from being processed at all? I think I am out of luck here. They will probably still be scanned, but there should be only a minimal performance hit as a result. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] User vs Domain .junkmail files
They will probably still be scanned, but there should be only a minimal performance hit as a result. Wouldn't the performance hit be the same as any mail being scanned? Correct. However, it is very rare for a server to have enough resources to accept/process/deliver E-mail without having enough resources to add spam scanning. With Declude Virus, there is high CPU usage involved in scanning. But for most Declude JunkMail implementations, this is not an issue. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] User vs Domain .junkmail files
OK got it. Thanx Goran Jovanovic The LAN Shoppe -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Wednesday, August 25, 2004 7:59 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] User vs Domain .junkmail files They will probably still be scanned, but there should be only a minimal performance hit as a result. Wouldn't the performance hit be the same as any mail being scanned? Correct. However, it is very rare for a server to have enough resources to accept/process/deliver E-mail without having enough resources to add spam scanning. With Declude Virus, there is high CPU usage involved in scanning. But for most Declude JunkMail implementations, this is not an issue. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Incoming message
That makes perfect sense! Thanks, Scott. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wolf Tombe Sent: Wednesday, August 25, 2004 4:44 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Incoming message Since this virus has been around since May 2004 (and there have been virus definitions that detect it since then as well), a better question, might be why didn't Declude catch this before it was sent to everyone on the list? --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Log Information
Goran, You can grep your logs out and use DLAnalyzer for this. For example: grep -i 8/13/2004 14: dec0813.log newlogfile.txt Than rename the log file to dec0813.log and than process.. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, MRTG Integration, and Log Parsers. - Original Message - From: Goran Jovanovic [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, August 25, 2004 6:52 PM Subject: [Declude.JunkMail] Log Information Hi, Is there a log file analyzer that will report on messages received by hour. I am interested in knowing how many e-mails came in between 3 and 4 and then between 4 and 5 etc. Thanx Goran Jovanovic The LAN Shoppe --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Log Information
Darrell I was hoping for more of a histogram of the number of messages processed by hour or half hour. My first thought would be to just get info on simply messages by hour and then maybe if I see a spike I could rerun it to see who was sending/receiving during that time. Thanx Goran Jovanovic The LAN Shoppe -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Wednesday, August 25, 2004 10:22 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Log Information Goran, You can grep your logs out and use DLAnalyzer for this. For example: grep -i 8/13/2004 14: dec0813.log newlogfile.txt Than rename the log file to dec0813.log and than process.. Darrell -- -- Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, MRTG Integration, and Log Parsers. - Original Message - From: Goran Jovanovic [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, August 25, 2004 6:52 PM Subject: [Declude.JunkMail] Log Information Hi, Is there a log file analyzer that will report on messages received by hour. I am interested in knowing how many e-mails came in between 3 and 4 and then between 4 and 5 etc. Thanx Goran Jovanovic The LAN Shoppe --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Log Information
If your looking for more of a histogram of the number of messgaes processed we have MRTG scripts that interface with Imail/Declude to provide you this information. This may or may not be what your looking for... Darrell Goran Jovanovic writes: Darrell I was hoping for more of a histogram of the number of messages processed by hour or half hour. My first thought would be to just get info on simply messages by hour and then maybe if I see a spike I could rerun it to see who was sending/receiving during that time. Thanx Goran Jovanovic The LAN Shoppe -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Wednesday, August 25, 2004 10:22 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Log Information Goran, You can grep your logs out and use DLAnalyzer for this. For example: grep -i 8/13/2004 14: dec0813.log newlogfile.txt Than rename the log file to dec0813.log and than process.. Darrell -- -- Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, MRTG Integration, and Log Parsers. - Original Message - From: Goran Jovanovic [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, August 25, 2004 6:52 PM Subject: [Declude.JunkMail] Log Information Hi, Is there a log file analyzer that will report on messages received by hour. I am interested in knowing how many e-mails came in between 3 and 4 and then between 4 and 5 etc. Thanx Goran Jovanovic The LAN Shoppe --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, MRTG Integration, and Log Parsers. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Log Information
- Original Message - From: Goran Jovanovic [EMAIL PROTECTED] I was hoping for more of a histogram of the number of messages processed by hour or half hour. My first thought would be to just get info on simply messages by hour and then maybe if I see a spike I could rerun it to see who was sending/receiving during that time. This little script can give you a no frills, hourly, unique message count (does not account for a single message that is sent to multiple recipients): = gawk {print $3,$2} spam\dec0824.log | usort | uniq -w 18 | gawk {print $2} | cut -d : -f1 | grep -v [[:alpha:]] | egrep [[:digit:]]{2} | usort | uniq -c = Watch for word-wrapping - the script should be executed as one long line. These two entries: grep -v [[:alpha:]] | egrep [[:digit:]]{2} are simply there to help filter out garbage from log corruption. The output will look like: 1212 00 1251 01 1218 02 1244 03 1244 04 1317 05 1400 06 1514 07 1757 08 1880 09 1777 10 1837 11 1785 12 1743 13 1830 14 1657 15 1530 16 1378 17 1367 18 1272 19 1312 20 1325 21 1289 22 1297 23 Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.