2009/7/9 Chris Turan <li...@christuran.com>: > The idea is to count the number of envelope recipients to determine who's > sending to lots of people. If someone goes over 500 per day, flag them as > suspicious and alert me. > > Postfix already logs part of this in syslog but the recipient list is > truncated or split up between multiple syslog messages. Its not easily > usable directly from syslog in its current form. > > Anyone do anything like this yet? Have any suggestions or alternative ways > of doing this?
I haven't done this myself, but I hear policy servers are quite popular for this sort of thing (the usual question is how to setup sending quotas for users, so this would be a slight modification).
