Vernon Schryver
vjs@calcite.rhyolite.com
Tue, 15 Nov 2005 09:05:25 -0700 (MST)
> From: Sven Willenberger > In searching the logfiles for those messages that have hits on rep, I > would like to be able to get an idea of what servers (IPs) are sending > these. Since the dcc checking mailservers are internal (i.e. MX IP > entries in whiteclnt) I cannot use the relay information in the maillog > files. > > As such, what would be involved with [optionally] adding IP to the > Metrics header that is added so that it would resemble > > X-DCC-brand-Metrics: chost server-ID; bulk chknm1=count ... IP=[relay IP > that is checked by rep] > > Just trying to get some useful statistics gathering in one grep/awk pass > of the maillog :-) I'm affraid to change the X-DCC header lest I break filters that depend on it to detect bulk mail. Adding "bulk rep" may have been too much. I suppose another X- header could be added. What about looking in the DCC log files? The third line contains the IP address that gets the blame. I tend to use /var/dcc/libexec/dblist -C 'rep 12345678 12345678 12345678 12345678' or /var/dcc/libexec/dblist -C 'rep-total 12345678 12345678 12345678 12345678' to see a given IP address has a reputation. If the reports containing the the reputation checksums don't include the body checksums, I use `dblist -T` with timestamps in the same second to look for the reports of spam sent by the IP address. (The next version of dblist lets the microseconds be omitted. The current version takes -1 to mean 'ignore microseconds'.) (For various constraints on flooding and database compresson, the body checksums are sometimes put into reports separate from the reputation checksums in the database.) Vernon Schryver vjs@rhyolite.com