GREPing Maillog

Eduardo Casarero ecasarero at gmail.com
Wed Oct 1 17:09:56 IST 2008 

2008/10/1 Josh Kidd <jkidd at afflink.com>

>  May not be the best place to submit this question but wondered if anyone
> had any suggestions on how I could find an entry in my maillog and then copy
> that line and the next 4 lines into a text file.
>
>
>
> I know I can grep on the string I'm looking for, "grep Message delivery
> request rate limit exceeded /var/log/maillog", but I also want to record the
> statistics after that then somehow copy all of it into a file that I can
> access to show me what IPs may be abusing our server (don't mind the limit
> below it's low for testing).  I'm using the Postfix anvil daemon to record
> these statistics, that seems to be working fine but we want to know if there
> is a computer that is sending out more than our pre-determined limit in case
> that computer has been infected.
>
>
>
> The server is FreeBSD 7, with Postfix, MailScanner (ClamAV and SA), and
> MailWatch. The log entries I'm looking for are these.
>
>
>
> Sep 28 17:41:24 fred postfix/smtpd[38086]: warning: Message delivery
> request rate limit exceeded: 6 from unknown[10.30.0.11] for service smtp
>
> Sep 28 17:41:24 fred postfix/smtpd[38086]: disconnect from unknown[
> 10.30.0.11]
>
> Sep 28 17:41:25 fred postfix/anvil[38088]: statistics: max connection rate
> 6/30s for (smtp:10.30.0.11) at Sep 28 17:41:24
>
> Sep 28 17:41:25 fred postfix/anvil[38088]: statistics: max connection count
> 1 for (smtp:10.30.0.11) at Sep 28 17:41:24
>
> Sep 28 17:41:25 fred postfix/anvil[38088]: statistics: max message rate
> 6/30s for (smtp:10.30.0.11) at Sep 28 17:41:24
>
> * *
>
Try with awk

grep "statistics: max rate" /var/log/maillog | awk -F "smtp:" '{print $2}' |
awk -F ")" '{print $1}' | tr "[:upper:]" "[:lower:]" | awk '{freq[$1]++} END
{ for (ip in freq)  printf "%s\t%d\n", ip, freq[ip] }'

this doesn't work, you have to tune the awk's but, i use something similar
to collect greylisting rejects.

> **
>
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081001/31585561/attachment.html

More information about the MailScanner mailing list