While SAV is superb way to stop spam, you do have to watch for false
positives.
And you can also promote MTA's that send SAV failures to mta_clients_bw.map.
Here are 2 pairs of scripts, kinda crude, to help you look at the SAV
rejects for false positives and for candidates to promote to blacklist.
The basic idea is "Which MTA's sent me which [EMAIL PROTECTED] that
weren't SAVerifiable"
One pair is for SAV-rejected MTA's without PTR, and the other pair is for
MTA's with PTR. I guess one of these days I'll write them into one
script with "case" :))
I was going fast, so if any body knows the match syntax for
sed's s/'string1|string2|string3'/""/g, we could collapse those multiple
sed's into one sed. or maybe even something other that sed.
One of the pair reverse sorts by total rejects per MTA, and the other sorts
by MTA.
My first use of awk "printf", needs some work. :))
=========================================
/usr/local/bin/SAV_unk.sh (SAV rejects for unknown PTR, sorted by qty of
rejects)
#!/bin/sh
awk '/unknown\[.*undeliverable sender address:/ {print ($10,$12) }'
/var/log/maillog |\
sed s/'unknown'/""/g | sed s/'\['/""/g |sed s/'\]'/""/g |\
sed s/':'/""/g | sed s/'\>'/""/g |sed s/'\<'/""/g |\
sort -f | uniq -ic | sort -rf | \
awk '{printf ("%6s\t%-14s\t%-40s\n", $1, $2, $3) }'
exit 0
=========================================
/usr/local/bin/SAV_unk_ptr.sh (SAV rejects for unknown PTR, sorted by MTA)
#!/bin/sh
awk '/unknown\[.*undeliverable sender address:/ {print ($10,$12) }'
/var/log/maillog |\
sed s/'unknown'/""/g | sed s/'\['/""/g |sed s/'\]'/""/g |\
sed s/':'/""/g | sed s/'\>'/""/g |sed s/'\<'/""/g |\
sort -f | uniq -ic | sort -k2 | \
awk '{printf ("%6s\t%-14s\t%-40s\n", $1, $2, $3) }'
exit 0
==================================
/usr/local/bin/SAV_kno.sh (SAV rejects for known PTR, sorted by qty of
rejects)
#!/bin/sh
awk '/undeliverable sender address:/ {print ($10,$12) }' /var/log/maillog |
egrep -v "unknown\[" |\
sed s/'\[.*\]'/""/g | sed s/':'/""/g |\
sed s/'\>'/""/g |sed s/'\<'/""/g |\
sort -f | uniq -ic | sort -rf | \
awk '{printf ("%6s\t%-35s\t%-40s\n", $1, $2, $3) }'
exit 0
==================================
/usr/local/bin/SAV_kno_ptr.sh (SAV rejects for known PTR, sorted by MTA )
#!/bin/sh
awk '/undeliverable sender address:/ {print ($10,$12) }' /var/log/maillog |
egrep -v "unknown\[" |\
sed s/'\[.*\]'/""/g | sed s/':'/""/g |\
sed s/'\>'/""/g |sed s/'\<'/""/g |\
sort -f | uniq -ic | sort -k2 | \
awk '{printf ("%6s\t%-35s\t%-40s\n", $1, $2, $3) }'
exit 0
=================================
output to standard output, so scriptname | less or scriptname > filename
The "sort by MTA" allows you to see ip's of subnets grouped together, so
you can block an entire Class C, even with any one ip is low volume.
I guess the best way to recognize false positives is when the PTR domain
and the sender domain are the same. there aren't many
Likewise, the best way to recognize false positives, is when the PTR domain
is .be or .jp or .tw or .sg or .ar, and the sender domain is hotmail or
yahoo or msn or aol. :))
Of course, if the SAV-rejected MTA doesn't even have a PTR domain to
compare with the sender domain, then that weights heavily against it.
That said, I can say I've seen damn few .kr in recent weeks, vs. earlier
this year. Way to go .kr!!!
Unfortunately, postfix 2.0 doesn't have SAV yet. I guess Wietse will slip
into a 2.x snapshot in the coming weeks. Right now, I think I get more
benefits from 1.x + SAV than I would with 2.0 - SAV.
Also, I worked with Jim over the weekend, as did others, and he's got on
his site a pflogsumm.pl version 1.05 that doesn't need any more PERL mods
to run. The 1.03 patched and 1.04 patched by others were pretty sucky.
1.05 is clean again for the new maillog formats and for SAV.
My SAV experience was quite humbling. :)) You think your IMGate is
blocking most of it, and then you add SAV to the end of your restrictions,
and find SAV blocking tons new stuff that got through all your other filters.
Len
