Check which rules hit

Denis Beauchemin Denis.Beauchemin at usherbrooke.ca
Tue Jun 30 12:18:49 UTC 2015 

Peter, post some log lines and I will make it work for you.

Denis


De : MailScanner [mailto:mailscanner-bounces at lists.mailscanner.info] De la part de Peter Nitschke
Envoyé : 24 juin 2015 08:55
À : mailscanner at lists.mailscanner.info
Objet : RE: Check which rules hit

o;?
Scrap that, I deleted the line with "cached" as my logs don't have that and now I am getting screen output.

However it looks as though deleting the "cached" line is causing errors.  Is there a better way to deal with that?

Peter

*********** REPLY SEPARATOR ***********

On 24/06/2015 at 10:13 PM Peter Nitschke wrote:
Is the output to screen or to a file?

Thanks.

*********** REPLY SEPARATOR ***********

On 22/06/2015 at 5:51 PM Denis Beauchemin wrote:

My log lines look like this:

Jun 22 13:26:16 10.32.103.21 smtps2 MailScanner[47071]: Message t5MHQFDv033375 from 10.32.106.21 (someone at usherbrooke.ca<mailto:someone at usherbrooke.ca>) to usherbrooke.ca is n'est pas un polluriel, SpamAssassin (not cached, score=-6.206, requis 6.5, autolearn=not spam, BAYES_00 -1.90, HTML_MESSAGE 0.00, RDNS_NONE 0.79, UDES_FROM01 -3.00, UDES_FROM02 -0.10, UDES_FROMTO01 -2.00)

Jun 22 13:27:23 10.32.103.28 smtpe1 MailScanner[61090]: Message t5MHR8mw063252 from 64.5.96.10 (someone at alliinclusive.space<mailto:someone at alliinclusive.space>) to usherbrooke.ca is est un polluriel, SpamAssassin (not cached, score=7.776, requis 6.5, autolearn=spam, BAYES_50 0.80, HTML_EXTRA_CLOSE 0.00, HTML_MESSAGE 0.00, HTML_TAG_BALANCE_BODY 1.16, MIME_HTML_ONLY 0.72, MIME_HTML_ONLY_MULTI 0.00, MPART_ALT_DIFF 0.79, RDNS_NONE 0.79, STYLE_GIBBERISH 3.50, T_REMOTE_IMAGE 0.01)



The script does a first grep for the strings in yellow. Thereb third string that matches all ham/spam: un polluriel, SpamAssassin



Then Perl is used to search for lines that match:

1-      The yellow string followed by b

2-      Then the green string (could also be b

3-      Then the blue strings, including the digits, decimal point and minus sign

4-      Then the dark grey strings, including the digits, decimal point and minus sign

5-      Then the light gray string that could be omitted

6-      Then all the rules names and their respective score (could be negative)



At the end the matching rules are printed sorted as requested.



Denis



-----Message d'origine-----
De : MailScanner [mailto:mailscanner-bounces at lists.mailscanner.info] De la part de Peter Nitschke
EnvoyC) : 22 juin 2015 13:21
C mailscanner at lists.mailscanner.info<mailto:mailscanner at lists.mailscanner.info>
Objet : RE: Check which rules hit



This looks interesting.



I edited to English for spam, not spam etc, but when I run it, it just says "processing /var/log/maillog" and is very fast, but I get nothing, no output to screen or file that I can find.



Any suggestions how I can understand it better?



Thanks,



Peter





*********** REPLY SEPARATOR  ***********



On 19/06/2015 at 12:26 PM Denis Beauchemin wrote:



>This encoded message has been converted to an attachment.

>

>I created this script a while back just to do that:

>#!/usr/bin/perl -w

>#

># Script that looks through maillog to find all messages tagged as spam

># by MailScanner.  It then tallies the different SpamAssassin rules

>that # fired.

># Denis Beauchemin, 20050516

>

>use Getopt::Long;

>

># Where some commands reside:

>my $GREP   = "/bin/grep";

>my $GUNZIP = "/bin/gunzip";

>

># Value of "Spam =" in %report-dir%/languages.conf my $isSpamString  =

>"est un polluriel, SpamAssassin";

>my $isHamString   = "est pas un polluriel, SpamAssassin";

>my $allString     = " un polluriel, SpamAssassin";

># Value of "score =" in %report-dir%/languages.conf

>my $scoreString   = "score=";

># Value of "required =" in %report-dir%/languages.conf

>my $reqdString    = "requis ";

>my $autoString    = "autolearn=spam";

>my $cachedString  = "cached, ";

>my $nCachedString = "not cached, ";

>

>my $maillog = "/var/log/maillog";

>@maillogs = ();

>

>my $sortByName = 0;

>my $sortByHits = 0;

>my $getHam = 0;

>my $getAll = 0;

>my $help = 0;

>

>GetOptions(

>    'sortbyname|byname' => \$sortByName,

>    'sortbyhits|byhits' => \$sortByHits,

>    'log=s' => \@maillogs,

>    'ham'   => \$getHam,

>    'all'   => \$getAll,

>    'help'  => \$help,

>);

>

>if ( $help ) {

>    print '

>This program tallies SpamAssassin\'s rules that were triggered when an

>email was detected as spam by MailScanner.

>

>You can search for ham with the --ham option.

>

>You can search for all SpamAssassin results with the --all option.

>

>By default it sorts the results by rule name. It can also sort them by

>number of hits if called with --sortbyhits (or --byhits).

>

>The option --sortbyname (or --byname) is the default one.

>

>If you don\'t want to use the current maillog, specify a different one

>with --log new-maillog.

>

>All unknown command line parameters will be treated as additional file

>names to process.

>

>It is OK for a log file to be gzipped.

>';

>    exit;

>}

>

>push @maillogs, @ARGV;

>@maillogs = ( $maillog ) if ( @maillogs  == 0 ); #print "Maillogs:

>@maillogs\n"; #my $searchString = $getHam ? $isHamString :

>$isSpamString; my $searchString; if ( $getAll ) {

>    $searchString = "$allString";

>} elsif ( $getHam ) {

>    $searchString = "$isHamString";

>} else {

>    $searchString = "$isSpamString";

>}

>

>foreach my $maillog ( @maillogs ) {

>    print "Processing $maillog...\n";

>

>    $sortByName++ if ( ( $sortByName == 0 ) && ( $sortByHits == 0

) );

>

>    my $openCmd = "LANG=C $GREP \"$searchString\" $maillog |";

>    if ( $maillog =~ /\.gz$/ ) {

>        $openCmd = "$GUNZIP -c $maillog | LANG=C $GREP

\"$searchString\"

>|";

>    }

>    open LOG, "$openCmd" || die "Cannot open $maillog";

>

>    while ( <LOG> ) {

>        next unless /$searchString

>\((?:$cachedString|$nCachedString)$scoreString[-\d.]+, $reqdStrin

>g[-\d.]+,(?: $autoString,)?(.*)$/;

>        my $hits = $1;

>        foreach my $hit ( $hits =~ / ([^\s]+) -?[\d.]+(?:,|\))/g ) {

>            $hit{$hit}++;

>        }

>    }

>

>    close LOG;

>}

>

>if ( $sortByName ) {

>    foreach my $hit ( sort keys %hit ) {

>        printf "%27s %5d\n", $hit, $hit{$hit};

>    }

>} elsif ( $sortByHits ) {

>    foreach my $hit ( sort {$hit{$b}<=>$hit{$a}} keys %hit ) {

>        printf "%27s %5d\n", $hit, $hit{$hit};

>    }

>}

>

>

>-----Message d'origine-----

>De : MailScanner [mailto:mailscanner-bounces at lists.mailscanner.info]

De

>la part de Peter Nitschke

>EnvoyC) : 19 juin 2015 02:21

>C href="mailto:mailscanner at lists.mailscanner.info">mailscanner at lists.mailscanner.info<mailto:mailscanner at lists.mailscanner.info>

>Objet : Check which rules hit

>

>I have built up a large number of rules for SA to use with MS and many

>are probably now obsolete.

>

>How can I monitor which rules are getting hits?

>

>Thanks.

>

>Peter

>

>

>

>

>--

>MailScanner mailing list

>mailscanner at lists.mailscanner.info<mailto:mailscanner at lists.mailscanner.info>

>http://lists.mailscanner.info/listinfo/mailscanner

>

>



--

MailScanner mailing

>list

mailscanner at lists.mailscanner.info<mailto:mailscanner at lists.mailscanner.info>

http://lists.mailscanner.info/listinfo/mailscanner






-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20150630/95ecf754/attachment.html>

More information about the MailScanner mailing list