The difference between "FILTER_" and "DENIED_" is a little more complicated than you've described. The "FILTER_" message appears whenever a filter is triggered, whether that filter will eventually block the message or not. Those messages were originally added to show when whitelists were being matched, so administrators could understand why a "bad" connection wasn't being blocked (that's why you have to increase the log-level to see them). The "DENIED_" message appears whenever a recipient is actually rejected.
So you are correct that one "FILTER_RBL_MATCH" message could match multiple "DENIED_RBL_MATCH" messages. In that scenario, the remote server was found on an RBL, which is only checked once, but gave several recipients, which caused a number of rejections. However, if the remote server is found on an RBL but the sender authenticates, you could see a "FILTER_RBL_MATCH" message with an "ALLOWED" message. A similar situation could happen with a whitelisted sender -- you could see a "FILTER_RBL_MATCH" message, followed by a "FILTER_SENDER_WHITELIST" message, followed by an "ALLOWED" message. Worse yet, if the "FILTER_" messages are specific to the recipient (e.g. recipient blacklists), you could see multiple "FILTER_" messages /and/ multiple "DENIED_" messages. For the purposes of generating statistics, I think the "DENIED_" messages are much more useful because they show what actually happened instead of what spamdyke was thinking. On my server, I just graph the "DENIED_" messages and I don't worry about multiple messages coming from a single connection. In my mind, a single connection that generates multiple messages is the same as multiple connections that each generate one message -- the same number of spam emails were blocked either way. If you really want to track how many connections your mail server has gotten, I suppose you could parse the log entries to find spamdyke's PID and count the unique lines. Beware, however, that PIDs can roll over rapidly on a busy server. I hope that helps. -- Sam Clippinger Sebastian Grewe wrote: > Hey list, > > I just looked at those stats and compared the output to what I am having > on our boxes and I started wondering: > > When I check the log files, Spamdyke logs the following > > FILTER_RBL_MATCH : When listed in the RDNS > DENIED_RBL_MATCH : For each recipient address in the mail > > So basically it will result in 1 FILTER match but 1 DENIED match for > each mail address. > > Doesn't that mean that using the DENIED match will not result in the > actual denied mails but rather in a much higher number? I am currently > looking for both FILTER_ and DENIED_ flags and sum those up to find out > how many mails I rejected - but I am guessing here that looking for > FILTER_ alone would make more sense. > > Here my output, wrote the script today - Mirkos' output inspired me :) > It's tailored to work for our environment though. > > Total : 1571 (100.0000%) > Legitimate : 123 (7.8200%) > | > |- FILTER_WHITELIST : 61 (49.5900%) > | > |- _RECIPIENT_WHITELIST : 61 (100.0000%) > > Rejected : 1448 (92.1700%) > | > |- FILTER : 539 (37.2200%) > | | > | |- _RDNS_MISSING : 192 (35.6200%) > | |- _OTHER : 12 (2.2200%) > | |- _RBL_MATCH : 297 (55.1000%) > | | > | |- _RBL_MATCH_SPAMHAUS : 171 (57.5700%) > | |- _RBL_MATCH_SPAMCOP : 126 (42.4200%) > | > |- DENIED : 905 (62.5000%) > | | > | |- _RDNS_MISSING : 415 (45.8500%) > | |- _RBL_MATCH : 446 (49.2800%) > | |- _EARLYTALKER : 0 (0%) > | |- _SENDER_NO_MX : 14 (1.5400%) > | |- _TOO_MANY_RECIPIENTS : 0 (0%) > | |- _UNQUALIFIED_RECIPIENT : 0 (0%) > | > |- Clamav : 4 (.2700%) > | > |- Phishing : 4 (100.0000%) > |- Trojan : 0 (0%) > > > On Tue, 2009-09-01 at 15:52 -0500, Sam Clippinger wrote: > >>>>> -----Original Message----- >>>>> From: [email protected] >>>>> [mailto:[email protected]] On Behalf Of Mirko >>>>> >> Buffoni >> >>>>> Sent: 01 September 2009 14:27 >>>>> To: spamdyke users >>>>> Subject: Re: [spamdyke-users] Spam Stats >>>>> >>>>> Goods average between 500 and 2000 daily. Figures are however >>>>> pretty standard. Spamdyke filters out about 60k attempts daily. >>>>> Here are yesterday stats: >>>>> >>>>> Good : 1025 = 0.68 % >>>>> Unsure : 183 = 0.12 % >>>>> Virus : 62 = 0.04 % >>>>> BAD Sender: 5114 = 3.40 % >>>>> BAD Rcpt : 212 = 0.14 % >>>>> Pure SPAM : 45997 = 30.56 % >>>>> SPAMMER : 97940 = 65.06 % >>>>> | >>>>> \.............BLACKLISTED_KEYWORD : 29608 = 30.23 % >>>>> \..............DENIED_EARLYTALKER : 3 = 0.00 % >>>>> \...............DENIED_IP_IN_RDNS : 30447 = 31.09 % >>>>> \................DENIED_RBL_MATCH : 23268 = 23.76 % >>>>> \.............DENIED_SENDER_NO_MX : 13070 = 13.34 % >>>>> \......DENIED_TOO_MANY_RECIPIENTS : 1 = 0.00 % >>>>> \....DENIED_UNQUALIFIED_RECIPIENT : 1 = 0.00 % >>>>> \.........................TIMEOUT : 1542 = 1.57 % >>>>> >>>>> ------------------------------ >>>>> Total : 150533 = 100.00 % >>>>> _______________________________________________ spamdyke-users mailing list [email protected] http://www.spamdyke.org/mailman/listinfo/spamdyke-users
