At 09:35 -0700 Scott Call wrote:
>basically what I'd like is a cronable script to run every 5-10 minutes and
>give a report of suspicious stuff.
Better perhaps to just hack the stripcharts for eximon.
eg, I have:
LOG_STRIPCHARTS='/ (unexpected disconnection while reading|SMTP command timeout on connection|SMTP protocol violation|SMTP call from .+? dropped:)/dropped/
/ rejected (after DATA: (This message contains|.+? files are not accepted here)|by local_scan)/virus/
/ (Warning: p(roba|ossi)ble spam|rejected after DATA: SpamAssassin:)/spam/
/ <= /in/
/ => /out/
/ [\-=]> .+ T=lmtpsock/lmtp/
/ [\-=]> .+ T=remote_smtp/smtp/'
Most of the log messages are written by my ACLs. Be as creative as you
dare!
An example of what my eximon looks like is at:
http://www.dcs.qmul.ac.uk/~mb/stripcharts.png
It's not perfect, but it's quite useful to me (in this case it shows how
effective the delay tactics are against spam attacks on an otherwise quiet
evening). YMWV.