Noel Jones:
> Probably more useful to help identify abuse would be a counter of
> valid/total RCPT commands within a session that drops. nrcpt=N/T
> where N is valid recipients, T is total RCPT commands. I think
> valid/total is easier to explain than valid/rejected, and makes a
> pretty fraction display.
>
> proposed log:
> postfix/smtpd[nnn]: lost connection after RCPT from
> test.example.com[192.0.2.100], nrcpt=N/T
[I am making an exception to respond on-list to known people.]
Interesting idea, but why not log these numbers with the "disconnect"
event? This is logged for all SMTP sessions, whether or not the client
terminates a session with the QUIT command.
And more counters might be of interest: the distribution of
accepted/total number of {helo/mail/rcpt/data/dot/other} commands
would give the demographics of an SMTP session. If a client hangs
up after sending MAIL FROM and that command was or was not accepted,
then that is a clue that would otherwise only be available with
verbose logging.
Wietse
