Ion-Mihai Tetcu wrote:
> On Thu, 13 Mar 2008 16:53:06 -0700
> Will McCullough <will@highend3d.com> wrote:
>
>
>> Hello,
>>
>> Does anyone know how I can display IP address of the sender on the
>> quarantine template? I suspect that some IPs are consistantly spamming
>> my server and Id like to ban them on the firewall. So for that reason
>> Id like to display by IP and also sort by IP for quick viewing. Any
>> assistance appreciated.
>>
>
> Why not use
> TrackSources spam
> in dspam.conf ?
> Then
> bzgrep 'spam detected from ' /var/log/maillog | sed 's/.*spam detected from //' | uniq
> will give you a nice list of IPs.
>
> Or, if you need more context, you can use the system.log
> I use the following in multitail.conf to make it easier to keep an eye
> on what happens with my dspam:
> # dspam log
> colorscheme:dspam:dspam.nuclearelephant.com
> cs_re_s:magenta:[A-Z][a-z]{2}[ ][0-9]{2}[ ][0-9]{2}[:][0-9]{2}[:][0-9]{2}[ ][0-9]+[[:blank:]](S)
> cs_re_s:red:[A-Z][a-z]{2}[ ][0-9]{2}[ ][0-9]{2}[:][0-9]{2}[:][0-9]{2}[ ][0-9]+[[:blank:]](N)
> cs_re_s:blue:[A-Z][a-z]{2}[ ][0-9]{2}[ ][0-9]{2}[:][0-9]{2}[:][0-9]{2}[ ][0-9]+[[:blank:]]([I|W])
> cs_re_s:blue:[A-Z][a-z]{2}[ ][0-9]{2}[ ][0-9]{2}[:][0-9]{2}[:][0-9]{2}[ ][0-9]+[[:blank:]]([M])
> cs_re_s:magenta:(Quarantined)
> cs_re_s:red:.*(Blacklisted).*\((.*)\)
> cs_re_s:yellow:.*(Retrained).*
> cs_re_s:blue:(Delivered|Auto-Whitelisted)
> cs_re_s:green:([a-zA-Z0-9._-]+@[a-zA-Z0-9.-]+)
> # dspam
> scheme:dspam:/var/db/dspam/
> #dspam
> convert:dspam:epochtodate:^([0-9]+)
>
> And run multitail like:
> multitail -M 500 -cv dspam -ke '10[[:digit:]][[:digit:]],[[:alnum:]]+[[:blank:]]' \
> -ke '[[:blank:]]0[.][[:alnum:]]+' \
> -ke '<[a-zA-Z$.@0-9]+>$' \
> -cS dspam -f /var/db/dspam/system.log
>
>
>
>
I found this to be an interesting question, and I really liked your answer too. But it raised more questions about my installation. First of all, what is the difference between the configure option logfile=*** and system.log? I set my logfile=somepath/dspam.log on my configure command line. Funny thing is, nothing has gone into that file yet, nor has the file been created yet. However, I do have a system.log in my dspam-home directory, in which it does seem a lot of stuff is getting logged. Which brings me to my second question: I enabled the "TrackSources spam" in my dspam.conf, but I still don't see any IP addresses going in there, so that must not be the way it was meant to be.
Received on Mon Mar 17 23:05:01 2008
This archive was generated by hypermail 2.1.8 : Wed Mar 19 2008 - 00:00:13 CET