Thanks Sam, that did help. Yeah, PIDs would roll over fast on our machines so that's not an option.
I will keep counting all of it and use whatever I need :) Thanks for the clarification! Cheers, Sebastian On Thu, 2009-09-03 at 14:55 -0500, Sam Clippinger wrote: > The difference between "FILTER_" and "DENIED_" is a little more > complicated than you've described. The "FILTER_" message appears > whenever a filter is triggered, whether that filter will eventually > block the message or not. Those messages were originally added to show > when whitelists were being matched, so administrators could understand > why a "bad" connection wasn't being blocked (that's why you have to > increase the log-level to see them). The "DENIED_" message appears > whenever a recipient is actually rejected. > > So you are correct that one "FILTER_RBL_MATCH" message could match > multiple "DENIED_RBL_MATCH" messages. In that scenario, the remote > server was found on an RBL, which is only checked once, but gave several > recipients, which caused a number of rejections. However, if the remote > server is found on an RBL but the sender authenticates, you could see a > "FILTER_RBL_MATCH" message with an "ALLOWED" message. A similar > situation could happen with a whitelisted sender -- you could see a > "FILTER_RBL_MATCH" message, followed by a "FILTER_SENDER_WHITELIST" > message, followed by an "ALLOWED" message. Worse yet, if the "FILTER_" > messages are specific to the recipient (e.g. recipient blacklists), you > could see multiple "FILTER_" messages /and/ multiple "DENIED_" messages. > > For the purposes of generating statistics, I think the "DENIED_" > messages are much more useful because they show what actually happened > instead of what spamdyke was thinking. On my server, I just graph the > "DENIED_" messages and I don't worry about multiple messages coming from > a single connection. In my mind, a single connection that generates > multiple messages is the same as multiple connections that each generate > one message -- the same number of spam emails were blocked either way. > If you really want to track how many connections your mail server has > gotten, I suppose you could parse the log entries to find spamdyke's PID > and count the unique lines. Beware, however, that PIDs can roll over > rapidly on a busy server. > > I hope that helps. > > -- Sam Clippinger > > Sebastian Grewe wrote: > > Hey list, > > > > I just looked at those stats and compared the output to what I am having > > on our boxes and I started wondering: > > > > When I check the log files, Spamdyke logs the following > > > > FILTER_RBL_MATCH : When listed in the RDNS > > DENIED_RBL_MATCH : For each recipient address in the mail > > > > So basically it will result in 1 FILTER match but 1 DENIED match for > > each mail address. > > > > Doesn't that mean that using the DENIED match will not result in the > > actual denied mails but rather in a much higher number? I am currently > > looking for both FILTER_ and DENIED_ flags and sum those up to find out > > how many mails I rejected - but I am guessing here that looking for > > FILTER_ alone would make more sense. > > > > Here my output, wrote the script today - Mirkos' output inspired me :) > > It's tailored to work for our environment though. > > > > Total : 1571 (100.0000%) > > Legitimate : 123 (7.8200%) > > | > > |- FILTER_WHITELIST : 61 (49.5900%) > > | > > |- _RECIPIENT_WHITELIST : 61 (100.0000%) > > > > Rejected : 1448 (92.1700%) > > | > > |- FILTER : 539 (37.2200%) > > | | > > | |- _RDNS_MISSING : 192 (35.6200%) > > | |- _OTHER : 12 (2.2200%) > > | |- _RBL_MATCH : 297 (55.1000%) > > | | > > | |- _RBL_MATCH_SPAMHAUS : 171 (57.5700%) > > | |- _RBL_MATCH_SPAMCOP : 126 (42.4200%) > > | > > |- DENIED : 905 (62.5000%) > > | | > > | |- _RDNS_MISSING : 415 (45.8500%) > > | |- _RBL_MATCH : 446 (49.2800%) > > | |- _EARLYTALKER : 0 (0%) > > | |- _SENDER_NO_MX : 14 (1.5400%) > > | |- _TOO_MANY_RECIPIENTS : 0 (0%) > > | |- _UNQUALIFIED_RECIPIENT : 0 (0%) > > | > > |- Clamav : 4 (.2700%) > > | > > |- Phishing : 4 (100.0000%) > > |- Trojan : 0 (0%) > > > > > > On Tue, 2009-09-01 at 15:52 -0500, Sam Clippinger wrote: > > > >>>>> -----Original Message----- > >>>>> From: [email protected] > >>>>> [mailto:[email protected]] On Behalf Of Mirko > >>>>> > >> Buffoni > >> > >>>>> Sent: 01 September 2009 14:27 > >>>>> To: spamdyke users > >>>>> Subject: Re: [spamdyke-users] Spam Stats > >>>>> > >>>>> Goods average between 500 and 2000 daily. Figures are however > >>>>> pretty standard. Spamdyke filters out about 60k attempts daily. > >>>>> Here are yesterday stats: > >>>>> > >>>>> Good : 1025 = 0.68 % > >>>>> Unsure : 183 = 0.12 % > >>>>> Virus : 62 = 0.04 % > >>>>> BAD Sender: 5114 = 3.40 % > >>>>> BAD Rcpt : 212 = 0.14 % > >>>>> Pure SPAM : 45997 = 30.56 % > >>>>> SPAMMER : 97940 = 65.06 % > >>>>> | > >>>>> \.............BLACKLISTED_KEYWORD : 29608 = 30.23 % > >>>>> \..............DENIED_EARLYTALKER : 3 = 0.00 % > >>>>> \...............DENIED_IP_IN_RDNS : 30447 = 31.09 % > >>>>> \................DENIED_RBL_MATCH : 23268 = 23.76 % > >>>>> \.............DENIED_SENDER_NO_MX : 13070 = 13.34 % > >>>>> \......DENIED_TOO_MANY_RECIPIENTS : 1 = 0.00 % > >>>>> \....DENIED_UNQUALIFIED_RECIPIENT : 1 = 0.00 % > >>>>> \.........................TIMEOUT : 1542 = 1.57 % > >>>>> > >>>>> ------------------------------ > >>>>> Total : 150533 = 100.00 % > >>>>> > _______________________________________________ > spamdyke-users mailing list > [email protected] > http://www.spamdyke.org/mailman/listinfo/spamdyke-users -- Sebastian Grewe Jammicron | Experts in Powering Online Sales Phone 604.331.0586 x 104 Fax 604.331.0587 www.jammicron.com | www.qwik.ca _______________________________________________ spamdyke-users mailing list [email protected] http://www.spamdyke.org/mailman/listinfo/spamdyke-users
