Mailscanner statistics
Michael Janssen
Janssen at RZ.UNI-FRANKFURT.DE
Thu Jul 18 14:27:13 IST 2002
Dear list,
I've found that it isn't enough just to count the numbers from the "found
XX viruses"-lines , because these line frequently (not always) occours
twice (at least on our system):
....
Scanning 1 messages, 135716 bytes
>>> Virus 'W32/Klez-H' found in file ./17FkWw-0004hX-00/class.bat
Found 1 viruses in messages 17FkWw-0004hX-00
Scanned 1 messages, 135716 bytes in 1 seconds
Notified senders about 1 infections
Notified exim-scanl at rz.uni-frankfurt.de about 1 infections
Commercial disinfector sophos returned 768
>>> Virus 'W32/Klez-H' found in file ./17FkWw-0004hX-00/class.bat
Found 1 viruses in messages 17FkWw-0004hX-00
Scanning 2 messages, 7233 bytes
....
instead of:
$TotalViruses += $1 if /found (\d+) viruses in/i;
you need to remember the mail-id plus filename and ignore the next
occourence of it (this might give you slightly less numbers, when your MTA
often produces the same ids).
you might compare it to my script:
http://www.rz.uni-frankfurt.de/~mjanssen/logstats/logstats.py (15kb)
(written in python, therefor usage is: "python logstats.py
<MailScanner-log> [-help]". A bit tricky, cause it does some more jobs
than just counting. No spamdetection yet)
cheers
Michael
University of Frankfurt
On Thu, 18 Jul 2002, Joris Trooster / Interstroom wrote:
> Hello,
>
> I changed the script from Peter Peters (thanks!), to include virus
> statistics. Example output:
>
> mailscannerstats.pl /var/log/mail.log
> ------------------------------------------------
> Virus / spam statistics
> Period Jul 14 06:48:23 -> Jul 18 13:50:03
>
> Total e-mails scanned : 1132
> Total bytes scanned : 12230878
> Total seconds : 96
> Total virusses detected : 82
> Total spams tagged : 91
> Timespan (seconds) : 370900
>
> Total SpamAssassin : 79
> Total SpamAssassin score : 1003
> Total Infinite-Monkeys : 3
> Total Osirusoft : 13
> Total ORDB-RBL : 7
> Total WIREHUB-DNSBL : 2
>
> Viruses found (top 10):
>
> Exploit-MIME.gen.b.: 23
> W32/Klez.h at MM: 21
> W32/Yaha.g at MM: 10
> goldfish.mp3.scr: 5
> VALUE.pif: 2
> TYPE.pif: 2
> Ilvd.scr: 1
> NAME.bat: 1
> new.bat: 1
> align.scr: 1
> ------------------------------------------------
>
> To have the virus information included you need add a few lines to
> sweep.pl as explained in the file (attachment). The script only extracts
> information from the mailscanner log, so the script should work with
> both exim and sendmail.
>
> Regards,
> Joris
>
More information about the MailScanner
mailing list