I am not sure I understood well. There are three "from=", and you said which one repond to which behavior, so I think I could base on "from=" from log file but I should divide by three number of emails send by specific user. Am I right?
2018-04-04 11:11 GMT+02:00 chaouche yacine <yacinechaou...@yahoo.com>: > The log line from avmavis already has the sender a single time, regardless > of the number of recipients. > > Also, if you grep on from, keep in mind that the email first goes from > outside to postfix (1st from), the from postfix to amavis (second from), > then from amavis back to postfix (third from). > > > > Yassine. > > > On Wednesday, April 4, 2018, 8:49:43 AM GMT+1, Poliman - Serwis < > ser...@poliman.pl> wrote: > > > Or maybe I could base on this value but divided by 3. > > 2018-04-04 9:43 GMT+02:00 Poliman - Serwis <ser...@poliman.pl>: > > Hmm, probably I can't base on this, because when I send one email I have > in log three lines with "from=" and value <t...@example.com>. > 1st line --> Apr 4 09:32:41 s1 postfix/submission/smtpd[5622] : NOQUEUE: > filter: RCPT from host-X.Y.Z.W.static.com[X.Y.Z. W]: < t...@example.com > >: Sender address triggers FILTER amavis:[127.0.0.1]:10026; from=< > t...@example.com > to=<m...@email.com> proto=ESMTP helo=<[192.168.101.112]> > 2nd line --> Apr 4 09:32:41 s1 postfix/qmgr[4801]: 74F9980483: from=< > t...@example.com>, size=4359, nrcpt=1 (queue active) > 3rd line --> Apr 4 09:32:41 s1 postfix/qmgr[4801]: E180480484: from=< > t...@example.com>, size=4931, nrcpt=1 (queue active) > > > 2018-04-04 7:53 GMT+02:00 Poliman - Serwis <ser...@poliman.pl>: > > Could you tell me I could add e-mails together from mail.log which are in > line with "from=" part? Hmm I hope I say clear. I need count emails from > particular mailbox. Can I base on "from="? For example: > Apr 3 11:49:48 s1 postfix/qmgr[722]: 3B8C313BE2D: from=<t...@example.com>, > size=4000, nrcpt=1 (queue active) > > 2018-03-30 17:52 GMT+02:00 chaouche yacine <yacinechaou...@yahoo.com>: > > Absolutely. Amavis comes with a default score of 5.0. Any e-mail which has > a 5.0 score or higher is considered spam. You might have false positives > though, for example if the user's ISP addresses are blacklisted, which > might be the case dependning on the country and ISP. > > Yassine. > > On Friday, March 30, 2018, 10:44:27 AM GMT+2, Poliman - Serwis < > ser...@poliman.pl> wrote: > > > Yassine, appreciate your answer. I will check further in it but do you > think that spam score could help with estimate which mail from which > account is or not spam? > > 2018-03-30 9:27 GMT+02:00 chaouche yacine <yacinechaou...@yahoo.com>: > > Here are some ideas : > > 1/ Create a directory somewhere in /var/, for example mailstats > 2/ The directory will contain one file per sender > 3/ Your bash script will parse the mail log file in real time (tail -f) > then tee each matching line to the corresponding mailstats/user file, for > example if the line is matching b...@yourdomain.com it will go to > mailstats/bob. That way you will have, for each user, the number of > outgoing emails. > > > Another script will simply wc -l each mailstats user file, that will give > you the number of sent mails. You can use fail2ban for this task instead of > writing you own script. Fail2ban can be configured to scan logfiles looking > for a particular line. It will count the matching lines and if it reaches > the (configurable) maximum count in a certain (configurable) amount of > time, it will do whatever action you have configured, for example sending > you an e-mail. > > The mailstats file will need some maintenance, otherwise they will grow > infinitely and possibly slow down you scripts. You can use logrotate to > archive your mailstats files and create new ones automatically for you > after either a specific amount of time or after a specific mail size. > > It's not trivial, but it should work. > > > Yassine. > > > On Friday, March 30, 2018, 7:16:33 AM GMT+2, Poliman - Serwis < > ser...@poliman.pl> wrote: > > > Some emails has "Hits" value even, for example 2,5. What is (if it's > possible to say) good value? I am going to create script in bash which > send me an email when from particular email account will outbound for > example 300 emails per day. Kind of warning. But I am not sure I could use > spam score to it. What do you think guys about it? > > 2018-03-29 17:58 GMT+02:00 chaouche yacine <yacinechaou...@yahoo.com>: > > > It is, that's the spam score. It helps to visualise if a particular > mailbox is bombarded with spam (can happen with lots and lots of e-mails > from qq.com, I have that domain banned in postfix itself). > > Yassine. > On Thursday, March 29, 2018, 3:21:16 PM GMT+1, Alex JOST < > jost+postfix...@dimejo.at> wrote: > > > Am 29.03.2018 um 15:30 schrieb Poliman - Serwis: > > > This one works well. One question based on one from generated lines: > > Mar 26 11:47:41 ORIGINATING LOCAL [127.0.0.1]:38920 < > i...@klub-biosfera.pl> > > -> <i...@klub-biosfera.pl>,<p. krzewi...@poliman.pl > <p.krzewi...@poliman.pl>>, Hits: 0.742 > > > > Mar 26 11:47:41 --> this is date and hour when mail from > > i...@klub-biosfera.pl was sent to i...@klub-biosfera.pl and > > p.krzewi...@poliman.pl, am I right? > > What are "Hits: 0.742" ? > > > Looks like amavisd scoring. > > -- > Alex JOST > > > > > -- > > *Pozdrawiam / Best Regards* > *Piotr Bracha* > > > > > -- > > *Pozdrawiam / Best Regards* > *Piotr Bracha* > > > > > -- > > *Pozdrawiam / Best Regards* > *Piotr Bracha* > > > > > -- > > *Pozdrawiam / Best Regards* > *Piotr Bracha* > > > > > -- > > *Pozdrawiam / Best Regards* > *Piotr Bracha* > -- *Pozdrawiam / Best Regards* *Piotr Bracha*
