Hosting Provided By

Re: Auto-RBL was: Why did this not hit more? (SPF, DKIM, Ironport, X-originating-ip)

From: <bgodette(at)idcomm.com>
Date: Tue Oct 09 2007 - 18:30:28 EDT

Dan Mahoney, System Admin wrote:
> On Tue, 9 Oct 2007, Steven Kurylo wrote:
>

>>> Parsing the SA logs would be easy, but the connecting IP isn't listed 
>>> there. 
>> As I mentioned, I'm parsing exim's logs.  It contains the spam score and the 
>> IP address.

>
> Oh, that's true enough. I was musing on parsing my own logfiles as
> opposed to plugins. Not enough info since I'm rejecting at the procmail
> level, not the MTA (sendmail) level.
>
> -Dan

message-id from spam(d/assassin) log line, message-id -> queue-id, queue-id -> connecting IP.

Shouldn't be too hard to write in perl, just have to keep track of active (hasn't finished local delivery) IP/QID/MID triples.

Also depending on your MTA you may be able to pass the connecting IP to procmail. Received on Tue Oct 9 18:33:58 2007

This message: [ Message body ]
Next message: Jo Rhett: "Re: Advice on MTA blacklist"
Previous message: Dan Mahoney, System Admin: "Re: Auto-RBL was: Why did this not hit more? (SPF, DKIM, Ironport, X-originating-ip)"
In reply to: Dan Mahoney, System Admin: "Re: Auto-RBL was: Why did this not hit more? (SPF, DKIM, Ironport, X-originating-ip)"
Next in thread: Jonas Eckerman: "Re: Auto-RBL was: Why did this not hit more? (SPF, DKIM, Ironport, X-originating-ip)"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Fri Jul 04 2008 - 12:04:57 EDT