The log line from avmavis already has the sender a single time, regardless of
the number of recipients.
Also, if you grep on from, keep in mind that the email first goes from outside
to postfix (1st from), the from postfix to amavis (second from), then from
amavis back to postfix (third from).
Yassine.
On Wednesday, April 4, 2018, 8:49:43 AM GMT+1, Poliman - Serwis
<[email protected]> wrote:
Or maybe I could base on this value but divided by 3.
2018-04-04 9:43 GMT+02:00 Poliman - Serwis <[email protected]>:
Hmm, probably I can't base on this, because when I send one email I have in log
three lines with "from=" and value <[email protected]>.
1st line --> Apr 4 09:32:41 s1 postfix/submission/smtpd[5622] : NOQUEUE:
filter: RCPT from host-X.Y.Z.W.static.com[X.Y.Z. W]: <[email protected]>: Sender
address triggers FILTER amavis:[127.0.0.1]:10026; from=<[email protected]>
to=<[email protected]> proto=ESMTP helo=<[192.168.101.112]>
2nd line --> Apr 4 09:32:41 s1 postfix/qmgr[4801]: 74F9980483:
from=<[email protected]>, size=4359, nrcpt=1 (queue active)
3rd line --> Apr 4 09:32:41 s1 postfix/qmgr[4801]: E180480484:
from=<[email protected]>, size=4931, nrcpt=1 (queue active)
2018-04-04 7:53 GMT+02:00 Poliman - Serwis <[email protected]>:
Could you tell me I could add e-mails together from mail.log which are in line
with "from=" part? Hmm I hope I say clear. I need count emails from particular
mailbox. Can I base on "from="? For example:
Apr 3 11:49:48 s1 postfix/qmgr[722]: 3B8C313BE2D: from=<[email protected]>,
size=4000, nrcpt=1 (queue active)
2018-03-30 17:52 GMT+02:00 chaouche yacine <[email protected]>:
Absolutely. Amavis comes with a default score of 5.0. Any e-mail which has a
5.0 score or higher is considered spam. You might have false positives though,
for example if the user's ISP addresses are blacklisted, which might be the
case dependning on the country and ISP.
Yassine.
On Friday, March 30, 2018, 10:44:27 AM GMT+2, Poliman - Serwis
<[email protected]> wrote:
Yassine, appreciate your answer. I will check further in it but do you think
that spam score could help with estimate which mail from which account is or
not spam?
2018-03-30 9:27 GMT+02:00 chaouche yacine <[email protected]>:
Here are some ideas :
1/ Create a directory somewhere in /var/, for example mailstats2/ The directory
will contain one file per sender3/ Your bash script will parse the mail log
file in real time (tail -f) then tee each matching line to the corresponding
mailstats/user file, for example if the line is matching [email protected] it
will go to mailstats/bob. That way you will have, for each user, the number of
outgoing emails.
Another script will simply wc -l each mailstats user file, that will give you
the number of sent mails. You can use fail2ban for this task instead of writing
you own script. Fail2ban can be configured to scan logfiles looking for a
particular line. It will count the matching lines and if it reaches the
(configurable) maximum count in a certain (configurable) amount of time, it
will do whatever action you have configured, for example sending you an e-mail.
The mailstats file will need some maintenance, otherwise they will grow
infinitely and possibly slow down you scripts. You can use logrotate to archive
your mailstats files and create new ones automatically for you after either a
specific amount of time or after a specific mail size.
It's not trivial, but it should work.
Yassine.
On Friday, March 30, 2018, 7:16:33 AM GMT+2, Poliman - Serwis
<[email protected]> wrote:
Some emails has "Hits" value even, for example 2,5. What is (if it's possible
to say) good value? I am going to create script in bash which send me an email
when from particular email account will outbound for example 300 emails per
day. Kind of warning. But I am not sure I could use spam score to it. What do
you think guys about it?
2018-03-29 17:58 GMT+02:00 chaouche yacine <[email protected]>:
It is, that's the spam score. It helps to visualise if a particular mailbox is
bombarded with spam (can happen with lots and lots of e-mails from qq.com, I
have that domain banned in postfix itself).
Yassine.
On Thursday, March 29, 2018, 3:21:16 PM GMT+1, Alex JOST
<[email protected]> wrote:
Am 29.03.2018 um 15:30 schrieb Poliman - Serwis:
> This one works well. One question based on one from generated lines:
> Mar 26 11:47:41 ORIGINATING LOCAL [127.0.0.1]:38920 <[email protected]>
> -> <[email protected]>,<p. [email protected]>, Hits: 0.742
>
> Mar 26 11:47:41 --> this is date and hour when mail from
> [email protected] was sent to [email protected] and
> [email protected], am I right?
> What are "Hits: 0.742" ?
Looks like amavisd scoring.
--
Alex JOST
--
Pozdrawiam / Best Regards
Piotr Bracha
--
Pozdrawiam / Best Regards
Piotr Bracha
--
Pozdrawiam / Best Regards
Piotr Bracha
--
Pozdrawiam / Best Regards
Piotr Bracha
--
Pozdrawiam / Best Regards
Piotr Bracha
