On Wed, 08 Jul 2009, Chris Turan wrote: > The idea is to count the number of envelope recipients to determine > who's sending to lots of people. If someone goes over 500 per day, flag > them as suspicious and alert me.
It might be better to define a "someone" as an IP rather than an envelope sender, which is easily spoofed. But your implementation requirements may not allow this. > Postfix already logs part of this in syslog but the recipient list is > truncated or split up between multiple syslog messages. Its not easily > usable directly from syslog in its current form. You might be able to use the fact that qmgr(8) logs the original recipient count. Example: postfix/qmgr[54662]: 98EF25C51: from=<f...@bar.org>, size=717, nrcpt=5 Take care to avoid double counting in situations where mail to some recipients is temporarily deferred. In that case, Postfix periodically retries and similar qmgr(8) log entries will contain that same recipient count with that same queue ID. That is probably one of many caveats when parsing the logs to aggregate recipients per sender over any time period. > Anyone do anything like this yet? Have any suggestions or alternative > ways of doing this? You could parse the logs and implement your own solution or maybe use an existing policy service that already has this functionality. -- Sahil Tandon <sa...@tandon.net>
