RE: Thanks - Re: Less spam blocked with 3.02 - AWL-related?

16 Feb 2005 15:39:15 -0000 

>My next step would be to write something that would analyse my logs to
>see exactly what the rules are doing - and to try razor.


Here ya go! Ninja D is da man! :) 


>I just whipped up a quick maillog parser display top rules firing in
>3.0.   It reads all maillog* files and generates top firing rules for
>ham and spam, as well as some general info.  A copy of it can be found
>here http://www.rulesemporium.com/programs/sa-stats.txt  
>
>[EMAIL PROTECTED] tmp]# perl sa-stats.pl 5
>Email:    31808  Autolearn:  2245  AvgScore:   1.68  AvgScanTime:  2.13
>sec
>Spam:      4381  Autolearn:  2219  AvgScore:  12.43  AvgScanTime:  4.41
>sec
>Ham:      27427  Autolearn:    26  AvgScore:  -0.04  AvgScanTime:  1.76
>sec
>
>Time Spent Running SA:        18.80 hours
>Time Spent Processing Spam:    5.37 hours
>Time Spent Processing Ham:    13.43 hours
>
>TOP SPAM RULES FIRED
>------------------------------------------------
>COUNT   RULE NAME                       PERCENT
>------------------------------------------------
> 3616   HTML_MESSAGE                      5.55%
> 2249   URIBL_SBL                         3.45%
> 2069   MIME_HTML_ONLY                    3.18%
> 1885   URIBL_WS_SURBL                    2.89%
> 1630   URIBL_SC_SURBL                    2.50%
>------------------------------------------------
>
>TOP HAM RULES FIRED
>------------------------------------------------
>COUNT   RULE NAME                       PERCENT
>------------------------------------------------
> 6996   AWL                              17.56%
> 2969   HTML_MESSAGE                      7.45%
> 2546   NO_REAL_NAME                      6.39%
> 2465   FORGED_RCVD_HELO                  6.19%
> 2019   LONGWORD_TEST_1                   5.07%
>------------------------------------------------
>
>You can override the number of top rules shown by passing a number to
>the script..
> ./sa-stats 10  # shows top 10
>
> ./sa-stats     # shows default of 20
>
>You can change the default number of rules shown by changing 
> $TOPRULES=20;
>In the script.
>
>That's about all it does right now, but that's all I wanted it to do :)
>
>
>It's pretty CPU intensive on large maillog's, so be warned.  It's less
>than 1 second (2.4P4,512MB) for around 30k records, at least on my
>maillogs...  
>
>[EMAIL PROTECTED] tmp]# time perl sa-stats.pl  | tail -0
>real    0m0.896s
>user    0m0.880s
>sys     0m0.010s
>
>Using it like this works well...
>
>[EMAIL PROTECTED] tmp]# perl sa-stats.pl | mail <youremail>
>
>Have Fun!
>

Reply via email to