Oohhhhh. This really illistruates a lot. At first glance I thought the /@b\./ from_senders ACL wasn't working, but realizing a lot of sources START their from address with a b. as well
Ex: unknown[69.6.27.26]: from=<[EMAIL PROTECTED]> to=<[EMAIL PROTECTED]> helo=<03.pn01.com> unknown[69.6.27.26]: from=<[EMAIL PROTECTED]> to=<[EMAIL PROTECTED]> helo=<03.pn01.com> unknown[69.6.27.26]: from=<[EMAIL PROTECTED]> to=<[EMAIL PROTECTED]> helo=<03.pn01.com> unknown[69.6.27.26]: from=<[EMAIL PROTECTED]> to=<[EMAIL PROTECTED]> helo=<03.pn01.com> unknown[69.6.27.26]: from=<[EMAIL PROTECTED]> to=<[EMAIL PROTECTED]> helo=<03.pn01.com> I'm digging through looking for any possible legit bounce-from address from opt-in lists like this.. But I'm thinking we need another regexp to catch for this. Maybe something forcing at least 3 decimals before the @? I'm scratchy on my regexp's... But something like /^b\..+\..+\..+/ Maybe? What do you think len? Want to make sure it wouldn't catch first [EMAIL PROTECTED] [EMAIL PROTECTED] or something -----Original Message----- From: Len Conrad [mailto:[EMAIL PROTECTED] Sent: Thursday, August 28, 2003 7:14 PM To: [EMAIL PROTECTED] Subject: [IMGate] Re: want to see how good, or bad, it really is? meet me at the bottom 1. egrep -i "4tuple" /var/log/maillog | awk '{print $10" "$17" "$18" "$20}' | sort -t[ -k2 | less ... sort by the from= field, but on the sender.domain. you can also change the order of the $10, $17, $18, $20 so the 2nd, 3rd, or 4th fields are printed in first column, nice and straight, easier to analyze. etc, etc. Play with it, it will really pay off. I've already located a bunch of .br, .cl, .py, .ar subscriber nets with PTR hostnames spamming like hell to add to my mta_clients_subscriber.regexp. Len
