Re: some weight for 12-letter 2nd level labels

Len Conrad Tue, 31 Aug 2010 13:01:59 -0700

no wrap on my 20" screen, sorry for the wrap here.

high-rate 12-letter sender domains:



hold:'s for excessive sender per unknown client IP

egrep -i "postfix.*hold: .*CLIENT_" /var/log/maillog | egrep -i unknown | awk 
'{print $10,$(NF-3), $NF}' | sort -f | uniq -ic | sort -t[ -k2 | sed -e 's/\[/ 
\[/' | tr -d "[]:" | awk '{ printf "%5s\t%50s%18s\t%5s\n",$1,$2,$3,$4,$5}' | 
egrep -i "@[a-z]{12,12}\."
    5                                              unknown     173.244.42.83    
from=<i...@soleilejusds.com>
    5                                              unknown     174.122.67.52    
from=<ju...@rottlemandat.net>
    5                                              unknown     174.122.67.58    
from=<ju...@pulishtropal.net>
   39                                              unknown   174.139.141.186    
from=<medicalad...@vasconisuret.net>
    5                                              unknown   174.139.141.186    
from=<shopp...@vasconisuret.net>
   39                                              unknown    174.139.141.68    
from=<medicalad...@venomynitent.net>
    5                                              unknown    174.139.141.68    
from=<shopp...@venomynitent.net>
    5                                              unknown       209.62.7.89    
from=<i...@cantuttaurid.com>
    6                                              unknown      64.247.42.11    
from=<i...@rateenbassed.org>
    5                                              unknown    66.197.153.119    
from=<i...@khatriorthal.com>
    6                                              unknown    69.167.186.173    
from=<p...@parnelpashto.net>
   45                                              unknown      69.61.28.104    
from=<buylowaucti...@trigasplumet.net>
    5                                              unknown      69.61.28.104    
from=<val...@trigasplumet.net>
    5                                              unknown     72.55.146.236    
from=<i...@lohochdreynt.com>
    5                                              unknown      76.73.69.252    
from=<i...@miscaleughen.com>

hold: for excessive sends per sender:

egrep -i "postfix.*hold: .*sndr_" /var/log/maillog | egrep -i unknown | awk 
'{print $10,$(NF-3), $NF}' | sort -f | uniq -ic | sort -t[ -k2 | sed -e 's/\[/ 
\[/' | tr -d "[]:" | awk '{ printf "%5s\t%50s%18s\t%5s\n",$1,$2,$3,$4,$5}' | 
egrep -i "@[a-z]{12,12}\."

  140                                              unknown     173.244.42.83    
from=<i...@soleilejusds.com>
   91                                              unknown     174.122.67.52    
from=<ju...@rottlemandat.net>
  279                                              unknown     174.122.67.58    
from=<ju...@pulishtropal.net>
   36                                              unknown   174.139.141.186    
from=<shopp...@vasconisuret.net>
   34                                              unknown    174.139.141.68    
from=<shopp...@venomynitent.net>
    4                                              unknown       209.62.7.89    
from=<i...@cantuttaurid.com>
    7                                              unknown      64.247.42.11    
from=<i...@rateenbassed.org>
   66                                              unknown    66.197.153.119    
from=<i...@khatriorthal.com>
  100                                              unknown    69.167.186.173    
from=<p...@parnelpashto.net>
   27                                              unknown      69.61.28.104    
from=<buylowaucti...@trigasplumet.net>
   45                                              unknown      69.61.28.104    
from=<val...@trigasplumet.net>
  152                                              unknown     72.55.146.236    
from=<i...@lohochdreynt.com>
   84                                              unknown      76.73.69.252    
from=<i...@miscaleughen.com>

Just a suggested "signature" for scoring.

Len

Re: some weight for 12-letter 2nd level labels

Reply via email to