On 7/12/2014 7:09 PM, Wietse Venema wrote:
> Noel Jones:
>> Probably more useful to help identify abuse would be a counter of
>> valid/total RCPT commands within a session that drops. nrcpt=N/T
>> where N is valid recipients, T is total RCPT commands. I think
>> valid/total is easier to explain than valid/rejected, and makes a
>> pretty fraction display.
>>
>> proposed log:
>> postfix/smtpd[nnn]: lost connection after RCPT from
>> test.example.com[192.0.2.100], nrcpt=N/T
>
> [I am making an exception to respond on-list to known people.]
>
> Interesting idea, but why not log these numbers with the "disconnect"
> event? This is logged for all SMTP sessions, whether or not the client
> terminates a session with the QUIT command.
Yes, that had occurred to me, but then you would still have to
correlate the stats on the disconnect line with a premature lost
connection earlier in the log. At least for now, the lost
connection is a nice flag for possible abuse, and normal disconnects
are less interesting.
My goal is something a simple grep command can identify for further
investigation.
>
> And more counters might be of interest: the distribution of
> accepted/total number of {helo/mail/rcpt/data/dot/other} commands
> would give the demographics of an SMTP session. If a client hangs
> up after sending MAIL FROM and that command was or was not accepted,
> then that is a clue that would otherwise only be available with
> verbose logging.
I was trying to start with something easily implemented. Moving past
that...
A new "connection stats" line logged separately after the disconnect
could include all that and more, would surely be used for things I
haven't thought of, while still being fairly easy to explain.
Sample log expanding on the earlier ideas, n=valid T=total S=seconds:
postfix/smtpd[nnn]: stats: test.example.com[192.0.2.100]:port,
helo=n/T, auth=n/T, mail=n/T, rcpt=n/T, data=n/T, dot=n/T, quit=n/T,
other=n/T, bytes=transmited/received, duration=SSS.ss,
TLS={none|anonymous|trusted|...}
I'm not sure how to indicate a lost connection in the sample above.
Would including a "quit=n/T" be sufficient, 0/0 indicating a lost
connection, 1/1 normal? Or would there need to be a separate
end={normal|lost} indicator? Or maybe better for documenting,
"quit={yes|none}"
Admittedly, I have no idea what it would take to add all that info.
Not my intention to propose a 3-month project. But you asked, so
I'll shoot for the moon.
-- Noel Jones
