Logging of destination domain

[Dale Lovelace]

  The maillog converter I am working on does this correctly now. I expect to release this later this week. I am converting the maillog to a common log format like the maillog2commonlog.pl script on the analog page www.analog.cx, except this one works :-) and it turns the spam mail into 404 errors. Then you can run the converted log through analog, and get all of the sort of statistics you are talking about.

  I am using this on my machine now, but it just needs a little cleaning up and packaging.

  Dale

-----Original Message-----
From: ISP List [mailto:isp-list at TULSACONNECT.COM]
Sent: Sunday, December 08, 2002 9:35 AM
To: MAILSCANNER at JISCMAIL.AC.UK
Subject: Logging of destination domain


MailScanner currently produces log entries like:

Dec  8 09:30:22 mx20 mailscanner[33546]: Message 18L3Nr-00096Q-00 from
66.227.40.58.3294 (dbzmail.com) is Yes (score=13.6, required 8, BIG_FONT,
CALL_FREE, FROM_ENDS_IN_NUMS, GAPPY_TEXT, HIDDEN_ASSETS, HTML_50_70,
HTML_FONT_COLOR_BLUE, HTML_FONT_COLOR_GRAY, HTML_FONT_COLOR_RED,
HTML_FONT_COLOR_YELLOW, HTML_FONT_INVISIBLE, MISSING_HEADERS,
NORMAL_HTTP_TO_IP, NO_REAL_NAME, OPT_IN, SOCIAL_SEC_NUMBER,
SPAM_PHRASE_13_21, TABLE_THICK_BORDER, USER_AGENT_OE)

What would be nifty is if you could add in the recipient domain, e.g.

Dec  8 09:30:22 mx20 mailscanner[33546]: Message 18L3Nr-00096Q-00 from
66.227.40.58.3294 (dbzmail.com) to (thisdomain.com) is Yes (score=13.6,
required 8, BIG_FONT, CALL_FREE, FROM_ENDS_IN_NUMS, GAPPY_TEXT,
HIDDEN_ASSETS, HTML_50_70, HTML_FONT_COLOR_BLUE, HTML_FONT_COLOR_GRAY,
HTML_FONT_COLOR_RED, HTML_FONT_COLOR_YELLOW, HTML_FONT_INVISIBLE,
MISSING_HEADERS, NORMAL_HTTP_TO_IP, NO_REAL_NAME, OPT_IN,
SOCIAL_SEC_NUMBER, SPAM_PHRASE_13_21, TABLE_THICK_BORDER, USER_AGENT_OE)

That way, log file parsers could grep out the sender and the recipient
domain and graph the values accordingly, giving you the ability to graph
spam sources per destination domain name.

--Mike