I couldn't get the find "12:10 14:" sys1210.txt | find "deliver" /c to work
That will work if you use the sys*.txt log file format. If you use the log*.txt log file format, it will be different (perhaps "12/10/2003 14:" instead of "12:10 14:"?).
so I ran find "deliver" log1210.txt /c and find "deliver" log1209.txt /c
12-09-03 32,094 12-10-03 19,276 @ 4:15PM
OK, that will show the number of E-mails per day. That will do, although won't be as precise.
Now remember that this is happening once or twice a week. Is this low? high?
That all depends on what is causing it. :) If it is a dictionary attack, that might be considered about average. If it is a user sending out 100,000 E-mails, that may be low or high depending on your user base.
Do I need to up the Processor size?
That, too, will depend on the underlying cause. For example, if it turns out your DNS server is hanging every few days (as all but the most recent versions of BIND 9 on NT would do), simply upgrading BIND or resetting it once a day be all you need to do.
-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
