On Mon, 2012-11-19 at 19:16 -0500, Sam Varshavchik wrote: > cour...@devloop.de writes: > > > Hi, > > I guess I have some understanding problems of the -block option. I want to > > use > > a standard DNSBL to drop spam. But I also want to count the hits by the > > DNSBL. > > My idea was to use maildroprc to run an external program and then block the > > mail. > > Why all that work? > > Just block the email, and run a script that greps your /var/log/maillog, and > adds everything up. The error messages should be trivial to identify, by > DNSBL.
I was going to say that, Sam, but this answer is so simple I thought I must be missing something :P What I do here is as follows: in esmtpd, I have: BLACKLISTS="-block=cbl.abuseat.org,BLOCK2 -block=dnsbl.njabl.org,BLOCK3 -block etc.." The .mailfilters/rcptfilter file for every virtual mail account contains an include for a per-domain file, domainspampolicy, which in turn contains an include for /etc/courier/globalspampolicy. globalspampolicy contains a series of stanzas such as: import BLOCK2 if ( "$BLOCK2" ne "" ) { echo "$BLOCK2 (BL-2)" EXITCODE=1 exit } import BLOCK3 if ( "$BLOCK3" ne "" ) { echo "$BLOCK3 (BL-3)" EXITCODE=1 exit } etc... So every log entry for blocked emails has a (BL-?) tag in it identifying the BL in which the originating address was found. This helps identify the advisory blacklist for each entry in the final report. Every day, for every user who wants a report on blocked email, root runs a cron job as follows: zcat /var/log/mail.log.1.gz | cat - /var/log/mail.log | grep 'error,relay'|grep ' 511 '|grep domain.org | /usr/local/sbin/prettylog.pl | mailx -s"Blocked Email Summary from FMP" ad...@domain.org "domain.org" and "ad...@domian.org" are creative redactions from a real example :) prettylog.pl is a perl script, as follows: #!/usr/bin/perl ($sec, $min, $hour, $mday, $mon, $year, $wday, $yday, $isdst) = localtime(time - (60 * 60 * 24)); $month = (Jan,Feb,Mar,Apr,May,Jun,Jul,Aug,Sep,Oct,Nov,Dec)[$mon]; $day = sprintf("%s %2.2s", $month, $mday); $day = $ARGV[0] if $ARGV[0]; $year += 1900; $format = "%-16s %-5s %-16s %-57.55s %-30s %s\n"; print <<EOF; The following emails were refused blah, blah, (something semi-intelligent about the following report). BLOCKED EMAIL SUMMARY - $day, $year EOF printf($format, "DATE", "LIST", "SERVER IP", "FROM", "TO", "REASON"); printf($format, "----", "----", "---------", "----", "--", "------"); $count = 0; while (<STDIN>) { next if (!($_ =~ /$day/)); $_ =~ /(... .. ..:..:..) .*? courieresmtpd: error,relay=(.*?),.*?from=<(.*?)>.*?,to=<(.*?)>: 511 (.*?)(?: \(BL-(.)\)){0,1}$/; $mdate = $1; $ip = $2; $from = $3; $to = $4; $reason = $5; $bl = $6; printf($format, $mdate, $bl, $ip, $from, $to, $reason); $count++; } printf("\nA total of %s probable spam emails were blocked during the last 24 hours.\n", $count); So each user who wants one gets a report of their blocked emails, identifying which BL service tagged it followed by a total of blocked emails. You can morph the script to do pretty much anything you want to, such as listing and summarizing only DNSBL hits, or just sending the system admin a DNSBL hit count. Ain't Unix wonderful? ;) -- Lindsay Haisley | "We have met the enemy and he is us." FMP Computer Services | 512-259-1190 | -- Pogo http://www.fmp.com | ------------------------------------------------------------------------------ Monitor your physical, virtual and cloud infrastructure from a single web console. Get in-depth insight into apps, servers, databases, vmware, SAP, cloud infrastructure, etc. Download 30-day Free Trial. Pricing starts from $795 for 25 servers or applications! http://p.sf.net/sfu/zoho_dev2dev_nov _______________________________________________ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users