Sven Willenberger
sven@dmv.com
Tue, 15 Nov 2005 11:38:14 -0500
On Tue, 2005-11-15 at 09:05 -0700, Vernon Schryver wrote: > > From: Sven Willenberger > > > In searching the logfiles for those messages that have hits on rep, I > > would like to be able to get an idea of what servers (IPs) are sending > > these. Since the dcc checking mailservers are internal (i.e. MX IP > > entries in whiteclnt) I cannot use the relay information in the maillog > > files. > > > > As such, what would be involved with [optionally] adding IP to the > > Metrics header that is added so that it would resemble > > > > X-DCC-brand-Metrics: chost server-ID; bulk chknm1=count ... IP=[relay IP > > that is checked by rep] > > > > Just trying to get some useful statistics gathering in one grep/awk pass > > of the maillog :-) > > I'm affraid to change the X-DCC header lest I break filters that depend on > it to detect bulk mail. Adding "bulk rep" may have been too much. > > I suppose another X- header could be added. That may be an idea. Reading the manpage for DCC I saw IP listed in the subsection on Metrics on the types of checksums which raised my hopes a little that this information could be included in the Metrics. Perhaps simply a new Rep header : X-DCC-Reps-Metrics that would include bulk rep reps-total=count, rep=%, IP=[relay] which would then not break clients depending on the pre-Reps X-DCC header. > What about looking in the DCC log files? The third line contains the > IP address that gets the blame. I tend to use > /var/dcc/libexec/dblist -C 'rep 12345678 12345678 12345678 12345678' > or > /var/dcc/libexec/dblist -C 'rep-total 12345678 12345678 12345678 12345678' > to see a given IP address has a reputation. If the reports containing > the the reputation checksums don't include the body checksums, > I use `dblist -T` with timestamps in the same second to look for > the reports of spam sent by the IP address. (The next version of > dblist lets the microseconds be omitted. The current version takes -1 > to mean 'ignore microseconds'.) (For various constraints on flooding > and database compresson, the body checksums are sometimes put into > reports separate from the reputation checksums in the database.) Alas, I stopped keeping the logged messages a long time ago. I enabled logging briefly to check out the messages. I found the IP hash line and tried running: /var/dcc/libexec/dblist -C 'rep 67708712 3cef1eb2 218ec748 11c283ae' but got an error (both on the client as well as the reporting dcc server) of: unrecognized checksum values "rep 67708712 3cef1eb2 218ec748 11c283ae"; fatal error Sven