The log line from avmavis already has the sender a single time, regardless of
the number of recipients.
Also, if you grep on from, keep in mind that the email first goes from outside
to postfix (1st from), the from postfix to amavis (second from), then from
amavis back to postfix (third from).
Yassine.
On Wednesday, April 4, 2018, 8:49:43 AM GMT+1, Poliman - Serwis
<ser...@poliman.pl> wrote:
Or maybe I could base on this value but divided by 3.
2018-04-04 9:43 GMT+02:00 Poliman - Serwis <ser...@poliman.pl>:
Hmm, probably I can't base on this, because when I send one email I have in log
three lines with "from=" and value <t...@example.com>.
1st line --> Apr 4 09:32:41 s1 postfix/submission/smtpd[5622] : NOQUEUE:
filter: RCPT from host-X.Y.Z.W.static.com[X.Y.Z. W]: <t...@example.com>: Sender
address triggers FILTER amavis:[127.0.0.1]:10026; from=<t...@example.com>
to=<m...@email.com> proto=ESMTP helo=<[192.168.101.112]>
2nd line --> Apr 4 09:32:41 s1 postfix/qmgr[4801]: 74F9980483:
from=<t...@example.com>, size=4359, nrcpt=1 (queue active)
3rd line --> Apr 4 09:32:41 s1 postfix/qmgr[4801]: E180480484:
from=<t...@example.com>, size=4931, nrcpt=1 (queue active)
2018-04-04 7:53 GMT+02:00 Poliman - Serwis <ser...@poliman.pl>:
Could you tell me I could add e-mails together from mail.log which are in line
with "from=" part? Hmm I hope I say clear. I need count emails from particular
mailbox. Can I base on "from="? For example:
Apr 3 11:49:48 s1 postfix/qmgr[722]: 3B8C313BE2D: from=<t...@example.com>,
size=4000, nrcpt=1 (queue active)
2018-03-30 17:52 GMT+02:00 chaouche yacine <yacinechaou...@yahoo.com>:
Absolutely. Amavis comes with a default score of 5.0. Any e-mail which has a
5.0 score or higher is considered spam. You might have false positives though,
for example if the user's ISP addresses are blacklisted, which might be the
case dependning on the country and ISP.
Yassine.
On Friday, March 30, 2018, 10:44:27 AM GMT+2, Poliman - Serwis
<ser...@poliman.pl> wrote:
Yassine, appreciate your answer. I will check further in it but do you think
that spam score could help with estimate which mail from which account is or
not spam?
2018-03-30 9:27 GMT+02:00 chaouche yacine <yacinechaou...@yahoo.com>:
Here are some ideas :
1/ Create a directory somewhere in /var/, for example mailstats2/ The directory
will contain one file per sender3/ Your bash script will parse the mail log
file in real time (tail -f) then tee each matching line to the corresponding
mailstats/user file, for example if the line is matching b...@yourdomain.com it
will go to mailstats/bob. That way you will have, for each user, the number of
outgoing emails.
Another script will simply wc -l each mailstats user file, that will give you
the number of sent mails. You can use fail2ban for this task instead of writing
you own script. Fail2ban can be configured to scan logfiles looking for a
particular line. It will count the matching lines and if it reaches the
(configurable) maximum count in a certain (configurable) amount of time, it
will do whatever action you have configured, for example sending you an e-mail.
The mailstats file will need some maintenance, otherwise they will grow
infinitely and possibly slow down you scripts. You can use logrotate to archive
your mailstats files and create new ones automatically for you after either a
specific amount of time or after a specific mail size.
It's not trivial, but it should work.
Yassine.
On Friday, March 30, 2018, 7:16:33 AM GMT+2, Poliman - Serwis
<ser...@poliman.pl> wrote:
Some emails has "Hits" value even, for example 2,5. What is (if it's possible
to say) good value? I am going to create script in bash which send me an email
when from particular email account will outbound for example 300 emails per
day. Kind of warning. But I am not sure I could use spam score to it. What do
you think guys about it?
2018-03-29 17:58 GMT+02:00 chaouche yacine <yacinechaou...@yahoo.com>:
It is, that's the spam score. It helps to visualise if a particular mailbox is
bombarded with spam (can happen with lots and lots of e-mails from qq.com, I
have that domain banned in postfix itself).
Yassine.
On Thursday, March 29, 2018, 3:21:16 PM GMT+1, Alex JOST
<jost+postfix...@dimejo.at> wrote:
Am 29.03.2018 um 15:30 schrieb Poliman - Serwis:
> This one works well. One question based on one from generated lines:
> Mar 26 11:47:41 ORIGINATING LOCAL [127.0.0.1]:38920 <i...@klub-biosfera.pl>
> -> <i...@klub-biosfera.pl>,<p. krzewi...@poliman.pl>, Hits: 0.742
>
> Mar 26 11:47:41 --> this is date and hour when mail from
> i...@klub-biosfera.pl was sent to i...@klub-biosfera.pl and
> p.krzewi...@poliman.pl, am I right?
> What are "Hits: 0.742" ?
Looks like amavisd scoring.
--
Alex JOST
--
Pozdrawiam / Best Regards
Piotr Bracha
--
Pozdrawiam / Best Regards
Piotr Bracha
--
Pozdrawiam / Best Regards
Piotr Bracha
--
Pozdrawiam / Best Regards
Piotr Bracha
--
Pozdrawiam / Best Regards
Piotr Bracha
