Hi Sander,
On Fri, Apr 09, 2004 at 10:09:27AM +0200, Sander Smeenk wrote:
>
> Each day, FreeBSD mails me the daily checkup mails, which unfortunately
> contains the complete Exim reject-log. And there's my problem. I'd like
> to filter out the tons of rejects on that specific domain. But I can't
> find the place to do just that.
Not precisely what you're after, but I run this script on a daily basis to
have rejection details mailed daily. It's a _very_ rough hack but it
suffices for me.
I seem to remember though that the now exim FreeBSD port maintainer
Oliver Eikemeier produced a daily periodic script for exim - exactly
what it did or where you can find it I don't remember now, perhaps he
will contribute to the thread. This search turns a few results up:
http://marc.theaimsgroup.com/?l=exim-users&w=2&r=1&s=freebsd+periodic&q=b
Anyway my script is below, as I say it's very personalized and very
rough, just food for thought really. I've added some comments as
well... If you come up with anything else I'd be interested to know
about it.
-snip-
#!/bin/sh
LOG_DIR=/var/log/exim
DATE=`date "+%Y%m%d"`
paniclog="$LOG_DIR/panic.$DATE.log"
mainlog="$LOG_DIR/main.$DATE.log"
rejectlog="$LOG_DIR/reject.$DATE.log"
tmpfile=/tmp/$$.mailreport
# I don't use this any more, this was a very dodgy hack!
virus_senders=/usr/local/etc/exim/virus_senders.$DATE
# I don't use this any more, this was a very dodgy hack!
searchlist="
sender verify
rbl
rejected after DATA
rejected HELO
This message contains an unwanted file extension
Bad EHLO/HELO detected
"
# Gives a list of rejected hosts and num times the host was rejected,
# woefully slow and inefficient!
uniq_rejects(){
echo "Rejected messages by host:"
grep "rejected after" $rejectlog | sed -e 's,.*H=\([^ ]*\).*,\1,' | sort | uniq -c | sort -n
}
# just to check if anything hit the panic log for the day in question:
check_paniclog(){
# check if a paniclog exists:
if [ -f $paniclog ]; then
echo "Found panic log $paniclog:"
cat $paniclog
echo ""
fi
}
# I don't use this any more, this was a very dodgy hack!
check_searchlist(){
old_ifs=$IFS
IFS="
"
for search in $searchlist
do
grep "$search" $mainlog > $tmpfile
if [ -s "$tmpfile" ]; then
echo "$search:"
cat $tmpfile
echo
fi
done
rm $tmpfile
}
# I don't use this any more, this was a very dodgy hack!
check_viriisenders(){
if [ -f $virus_senders ]; then
echo "Virus senders:"
cat $virus_senders
fi
}
# this is the mainstay of the script now, gives a quick overview of what
# number of messages were rejected on what basis - modify the /patterns/
# to suit your ACL rejection messages:
eximstats(){
/usr/local/sbin/eximstats \
-ne -nr -nt -nvr -tnl -t0 -h0 -q0 \
-pattern Malware /malware/ \
-pattern Unrouteable /:.*Unrouteable.*address/ \
-pattern HELO /HELO.*MISMATCH.*Forged.*HELO.*for/ \
-pattern RBL /rbl:/ \
-pattern Spamassassin /Spam.*score/ \
-pattern BadAttachment \
/This.*message.*contains.*an.*unwanted.*file.*extension/ \
$mainlog
}
# this gives a short summary of what kind of malware we're rejecting:
virus_sort(){
echo "Malware:"
grep malware $mainlog | awk '{print $NF}' | sort | uniq -c
}
check_paniclog
check_viriisenders
uniq_rejects
eximstats
virus_sort
-snip-
--
Jez Hancock
- System Administrator / PHP Developer
http://munk.nu/
http://jez.hancock-family.com/ - Another FreeBSD Diary
http://ipfwstats.sf.net/ - ipfw peruser traffic logging