Loading ...
Sorry, an error occurred while loading the content.

Re: Spam Prevention

Expand Messages
  • Clunk Werclick
    ... Hello Willy, It depends on how aggressive you wish to be. Looking at the last half an hour in my logs, the statistics show my blocking going on. The big
    Message 1 of 14 , Aug 2, 2009
    • 0 Attachment
      On Sun, 2009-08-02 at 11:56 +0200, Willy De la Court wrote:
      > Hi all,
      >
      > Just a question about spam prevention and resource optimalisation.
      >
      > What is the best way to go. I have this as spam prevention at the moment.
      >
      > smtpd_helo_restrictions =
      > permit_mynetworks,
      > permit_sasl_authenticated,
      > reject_non_fqdn_hostname,
      > reject_invalid_hostname,
      > permit
      >
      > smtpd_sender_restrictions =
      > permit_mynetworks,
      > permit_sasl_authenticated,
      > reject_non_fqdn_sender,
      > reject_unknown_sender_domain,
      > permit
      >
      > smtpd_recipient_restrictions =
      > permit_mynetworks,
      > permit_sasl_authenticated,
      > reject_unauth_pipelining,
      > reject_non_fqdn_recipient,
      > reject_unknown_recipient_domain,
      > reject_unauth_destination,
      > reject_invalid_hostname,
      > reject_rbl_client bl.spamcop.net,
      > reject_rbl_client zen.spamhaus.org,
      > reject_unlisted_recipient,
      > check_policy_service inet:127.0.0.1:60000,
      > permit
      >
      > This mean that there are a number of tests before the actual recipient
      > address is tested, would it not be better to place the
      > reject_unlisted_recipient very early in the chain? Or am I wrong here. In
      > placing the reject_unlisted_recipient earlier in the chain would I not make
      > it easier for dictionary attacks to succeed? The check_policy_server is the
      > postgrey implementation of http://postgrey.schweikert.ch/
      >
      > I added the reject_unlisted_recipient before the postgrey policy test
      > because I noticed unknown recipients being passed to the postgrey policy
      > test.
      >
      > Any comments would be welcome.
      Hello Willy,

      It depends on how aggressive you wish to be. Looking at the last half an
      hour in my logs, the statistics show my blocking going on. The big fishy
      is 'No PTR' (in words of another no reverse DNS at all) then followed by
      spoof attempts (bob@... to bob@...).

      I block both of these types before passing to a big list of dnsbl's -
      but they may not be entirely suitable in production and it depends upon
      your BOFH mentality/level -v- your users complaining;


      ************************
      PRE DNSBL 321
      ........................
      NO PTR 201
      SPOOFING 120
      RELAY ATTEMPTS 0
      BLOCKED OTHER 0
      WHITELISTED 4
      ************************
      BLOCKED DNSBL 287
      ........................


      smtpd_sender_restrictions =
      permit_mynetworks
      permit_sasl_authenticated
      reject_unauth_destination
      reject_unknown_reverse_client_hostname
      check_sender_access hash:/etc/postfix/nospoof
      reject_rbl_client no-more-funn.moensted.dk
      reject_rbl_client bl.spamcop.net
      reject_rbl_client dnsbl-1.uceprotect.net
      reject_rbl_client dnsbl-2.uceprotect.net
      reject_rbl_client dnsbl-3.uceprotect.net
      reject_rbl_client dnsbl.sorbs.net
      reject_rbl_client bl.spamcannibal.org
      reject_rbl_client spam.dnsbl.sorbs.net
      reject_rbl_client zen.spamhaus.org
      reject_rbl_client b.barracudacentral.org
      permit


      This;
      /etc/postfix/nospoof

      is just a postmapped flat file of our domains that looks like this;

      /etc/postfix/nospoof
      ...
      example.com REJECT spoofing go away
      example.net REJECT spoofing go away
      example.org REJECT spoofing go away
      ...
      Have much fun and remember some spam is nice. Especially in a baguette
      with some 'daddies' sauce
      --
      -----------------------------------------------------------
      C Werclick .Lot
      Technical incompetent
      Loyal Order Of The Teapot.

      This e-mail and its attachments is intended only to be used as an e-mail
      and an attachment. Any use of it for other purposes other than as an
      e-mail and an attachment will not be covered by any warranty that may or
      may not form part of this e-mail and attachment.
    • Willy De la Court
      On Sun, 02 Aug 2009 11:24:17 +0100, Clunk Werclick ... [SNIP] ... In ... policy ... This one seems interesting. Need to try it out. ... The nospoof is a big
      Message 2 of 14 , Aug 2, 2009
      • 0 Attachment
        On Sun, 02 Aug 2009 11:24:17 +0100, Clunk Werclick
        <clunk.werclick@...> wrote:
        > On Sun, 2009-08-02 at 11:56 +0200, Willy De la Court wrote:
        >> Hi all,
        >>
        >> Just a question about spam prevention and resource optimalisation.
        >>
        [SNIP]
        >>
        >> This mean that there are a number of tests before the actual recipient
        >> address is tested, would it not be better to place the
        >> reject_unlisted_recipient very early in the chain? Or am I wrong here.
        In
        >> placing the reject_unlisted_recipient earlier in the chain would I not
        >> make
        >> it easier for dictionary attacks to succeed? The check_policy_server is
        >> the
        >> postgrey implementation of http://postgrey.schweikert.ch/
        >>
        >> I added the reject_unlisted_recipient before the postgrey policy test
        >> because I noticed unknown recipients being passed to the postgrey
        policy
        >> test.
        >>
        >> Any comments would be welcome.
        > Hello Willy,
        >
        > It depends on how aggressive you wish to be. Looking at the last half an
        > hour in my logs, the statistics show my blocking going on. The big fishy
        > is 'No PTR' (in words of another no reverse DNS at all) then followed by
        > spoof attempts (bob@... to bob@...).
        >
        > I block both of these types before passing to a big list of dnsbl's -
        > but they may not be entirely suitable in production and it depends upon
        > your BOFH mentality/level -v- your users complaining;
        >
        >
        > smtpd_sender_restrictions =
        > permit_mynetworks
        > permit_sasl_authenticated
        > reject_unauth_destination
        > reject_unknown_reverse_client_hostname

        This one seems interesting. Need to try it out.

        > check_sender_access hash:/etc/postfix/nospoof

        The nospoof is a big nono for me.

        > reject_rbl_client no-more-funn.moensted.dk
        > reject_rbl_client bl.spamcop.net
        > reject_rbl_client dnsbl-1.uceprotect.net
        > reject_rbl_client dnsbl-2.uceprotect.net
        > reject_rbl_client dnsbl-3.uceprotect.net
        > reject_rbl_client dnsbl.sorbs.net
        > reject_rbl_client bl.spamcannibal.org
        > reject_rbl_client spam.dnsbl.sorbs.net
        > reject_rbl_client zen.spamhaus.org
        > reject_rbl_client b.barracudacentral.org
        > permit
        [SNIP]

        wow a lot of rbls. I used to use some of these but got a lot of complaints
        so i'm sticking with just spamcop and spamhaus.

        > ...
        > Have much fun and remember some spam is nice. Especially in a baguette
        > with some 'daddies' sauce

        Yep very nice.

        --
        Simple things make people happy.
        Willy De la Court
        PGP Public Key at http://www.linux-lovers.be/download/public_key.asc
        PGP Key fingerprint = 784E E18F 7F85 9C7C AC1A D5FB FE08 686C 37C7 A689
        GMail <wdl1908@...>
      • Ralf Hildebrandt
        ... uceprotect.net is outright insane. -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin
        Message 3 of 14 , Aug 2, 2009
        • 0 Attachment
          * Willy De la Court <wdl@...>:

          > > reject_rbl_client no-more-funn.moensted.dk
          > > reject_rbl_client bl.spamcop.net
          > > reject_rbl_client dnsbl-1.uceprotect.net
          > > reject_rbl_client dnsbl-2.uceprotect.net
          > > reject_rbl_client dnsbl-3.uceprotect.net
          > > reject_rbl_client dnsbl.sorbs.net
          > > reject_rbl_client bl.spamcannibal.org
          > > reject_rbl_client spam.dnsbl.sorbs.net
          > > reject_rbl_client zen.spamhaus.org
          > > reject_rbl_client b.barracudacentral.org
          > > permit
          > [SNIP]
          >
          > wow a lot of rbls. I used to use some of these but got a lot of complaints
          > so i'm sticking with just spamcop and spamhaus.

          uceprotect.net is outright insane.

          --
          Ralf Hildebrandt
          Geschäftsbereich IT | Abteilung Netzwerk
          Charité - Universitätsmedizin Berlin
          Campus Benjamin Franklin
          Hindenburgdamm 30 | D-12203 Berlin
          Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
          ralf.hildebrandt@... | http://www.charite.de
        • mouss
          ... useless. ... useless. you re checking your own domains and domains that will be rejected by reject_unauth_destination. ... it would avoid doing DNS queries
          Message 4 of 14 , Aug 2, 2009
          • 0 Attachment
            Willy De la Court a écrit :
            > Hi all,
            >
            > Just a question about spam prevention and resource optimalisation.
            >
            > What is the best way to go. I have this as spam prevention at the moment.
            >
            > smtpd_helo_restrictions =
            > permit_mynetworks,
            > permit_sasl_authenticated,
            > reject_non_fqdn_hostname,
            > reject_invalid_hostname,
            > permit
            >
            > smtpd_sender_restrictions =
            > permit_mynetworks,
            > permit_sasl_authenticated,
            > reject_non_fqdn_sender,
            > reject_unknown_sender_domain,
            > permit
            >
            > smtpd_recipient_restrictions =
            > permit_mynetworks,
            > permit_sasl_authenticated,
            > reject_unauth_pipelining,

            useless.

            > reject_non_fqdn_recipient,
            > reject_unknown_recipient_domain,

            useless. you're checking your own domains and domains that will be
            rejected by reject_unauth_destination.

            > reject_unauth_destination,
            > reject_invalid_hostname,
            > reject_rbl_client bl.spamcop.net,
            > reject_rbl_client zen.spamhaus.org,
            > reject_unlisted_recipient,
            > check_policy_service inet:127.0.0.1:60000,
            > permit
            >
            > This mean that there are a number of tests before the actual recipient
            > address is tested, would it not be better to place the
            > reject_unlisted_recipient very early in the chain?

            it would avoid doing DNS queries when the recipient is invalid. This
            reduces the load of your server and that of DNSBL servers.

            see below for a better way to do your checks.

            > Or am I wrong here. In
            > placing the reject_unlisted_recipient earlier in the chain would I not make
            > it easier for dictionary attacks to succeed?

            Forget about dictionary attacks. The only spam that seems to target
            valid addresses only is "snowshoe spam", but then it won't be blocked by
            any of your checks. Other than that I keep seeing the same (invalid)
            addresses hit again and again.

            > The check_policy_server is the
            > postgrey implementation of http://postgrey.schweikert.ch/
            >
            > I added the reject_unlisted_recipient before the postgrey policy test
            > because I noticed unknown recipients being passed to the postgrey policy
            > test.
            >

            Make sure you have:

            unknown_local_recipient_reject_code = 550

            if this doesn't fix your problem, post a _new_ question, with infos as
            recommended in the DEBUG README.

            > Any comments would be welcome.
            >

            Assuming the default smtpd_delay_reject=yes, consider putting all your
            anti-spam checks under smtpd_recipient_restrictions.

            remove smtpd_helo_restrictions and smtpd_sender_restrictions, and set:

            smtpd_recipient_restrictions =
            reject_non_fqdn_sender
            reject_non_fqdn_recipient
            permit_mynetworks
            permit_sasl_authenticated
            reject_unauth_destination
            reject_unlisted_recipient
            reject_invalid_hostname
            reject_non_fqdn_hostname
            reject_rbl_client zen.spamhaus.org
            reject_rbl_client bl.spamcop.net
            reject_unknown_sender_domain
            check_policy_service inet:127.0.0.1:60000
          • Willy De la Court
            ... moment. ... [SNIP] ... [SNIP] ... Yes I v seen it too. ... policy ... Yep just checked it it s 550 ... I don;t have any problems with this configuration
            Message 5 of 14 , Aug 2, 2009
            • 0 Attachment
              On Sun, 02 Aug 2009 12:44:56 +0200, mouss <mouss@...> wrote:
              > Willy De la Court a écrit :
              >> Hi all,
              >>
              >> Just a question about spam prevention and resource optimalisation.
              >>
              >> What is the best way to go. I have this as spam prevention at the
              moment.
              >>
              [SNIP]
              >> reject_unauth_pipelining,
              >
              > useless.
              >
              >> reject_non_fqdn_recipient,
              >> reject_unknown_recipient_domain,
              >
              > useless. you're checking your own domains and domains that will be
              > rejected by reject_unauth_destination.
              >
              [SNIP]
              >>
              >> This mean that there are a number of tests before the actual recipient
              >> address is tested, would it not be better to place the
              >> reject_unlisted_recipient very early in the chain?
              >
              > it would avoid doing DNS queries when the recipient is invalid. This
              > reduces the load of your server and that of DNSBL servers.
              >
              > see below for a better way to do your checks.
              >
              >> Or am I wrong here. In
              >> placing the reject_unlisted_recipient earlier in the chain would I not
              >> make
              >> it easier for dictionary attacks to succeed?
              >
              > Forget about dictionary attacks. The only spam that seems to target
              > valid addresses only is "snowshoe spam", but then it won't be blocked by
              > any of your checks. Other than that I keep seeing the same (invalid)
              > addresses hit again and again.

              Yes I'v seen it too.

              >
              >> The check_policy_server is the
              >> postgrey implementation of http://postgrey.schweikert.ch/
              >>
              >> I added the reject_unlisted_recipient before the postgrey policy test
              >> because I noticed unknown recipients being passed to the postgrey
              policy
              >> test.
              >>
              >
              > Make sure you have:
              >
              > unknown_local_recipient_reject_code = 550

              Yep just checked it it's 550

              >
              > if this doesn't fix your problem, post a _new_ question, with infos as
              > recommended in the DEBUG README.
              >
              I don;t have any problems with this configuration just wanted to know how
              to improve the stuff.

              >> Any comments would be welcome.
              >>
              >
              > Assuming the default smtpd_delay_reject=yes, consider putting all your
              > anti-spam checks under smtpd_recipient_restrictions.
              >

              Yes smtpd_delay_reject=yes

              > remove smtpd_helo_restrictions and smtpd_sender_restrictions, and set:
              >
              > smtpd_recipient_restrictions =
              > reject_non_fqdn_sender
              > reject_non_fqdn_recipient
              > permit_mynetworks
              > permit_sasl_authenticated
              > reject_unauth_destination
              > reject_unlisted_recipient
              > reject_invalid_hostname
              > reject_non_fqdn_hostname
              > reject_rbl_client zen.spamhaus.org
              > reject_rbl_client bl.spamcop.net
              > reject_unknown_sender_domain
              > check_policy_service inet:127.0.0.1:60000

              I'll see what results I get with these.

              Thx again for the explanation.

              --
              Simple things make people happy.
              Willy De la Court
              PGP Public Key at http://www.linux-lovers.be/download/public_key.asc
              PGP Key fingerprint = 784E E18F 7F85 9C7C AC1A D5FB FE08 686C 37C7 A689
            • Jon
              ... What tools are you using to generate your counts and get your output presented this way?
              Message 6 of 14 , Aug 2, 2009
              • 0 Attachment
                Clunk Werclick wrote:
                >
                > ************************
                > PRE DNSBL 321
                > ........................
                > NO PTR 201
                > SPOOFING 120
                > RELAY ATTEMPTS 0
                > BLOCKED OTHER 0
                > WHITELISTED 4
                > ************************
                > BLOCKED DNSBL 287
                > ........................
                >

                What tools are you using to generate your counts and get your output
                presented this way?
              • Charles Sprickman
                ... [snip] ... I m still figuring things out, and have not really went very deep into spam prevention at this point. My question about the rbl rejects at the
                Message 7 of 14 , Aug 2, 2009
                • 0 Attachment
                  On Sun, 2 Aug 2009, Willy De la Court wrote:

                  > On Sun, 02 Aug 2009 11:24:17 +0100, Clunk Werclick
                  > <clunk.werclick@...> wrote:
                  [snip]
                  >> reject_rbl_client no-more-funn.moensted.dk
                  >> reject_rbl_client bl.spamcop.net
                  >> reject_rbl_client dnsbl-1.uceprotect.net
                  >> reject_rbl_client dnsbl-2.uceprotect.net
                  >> reject_rbl_client dnsbl-3.uceprotect.net
                  >> reject_rbl_client dnsbl.sorbs.net
                  >> reject_rbl_client bl.spamcannibal.org
                  >> reject_rbl_client spam.dnsbl.sorbs.net
                  >> reject_rbl_client zen.spamhaus.org
                  >> reject_rbl_client b.barracudacentral.org
                  >> permit
                  > [SNIP]
                  >
                  > wow a lot of rbls. I used to use some of these but got a lot of complaints
                  > so i'm sticking with just spamcop and spamhaus.

                  I'm still figuring things out, and have not really went very deep into
                  spam prevention at this point. My question about the rbl rejects at the
                  smtp level is whether it's possible to only apply this to certain
                  domains/accounts without resorting ot using a policy daemon. I'm guessing
                  no, but that may just be my old qmail pessimism. :)

                  Thanks,

                  Charles

                  >> ...
                  >> Have much fun and remember some spam is nice. Especially in a baguette
                  >> with some 'daddies' sauce
                  >
                  > Yep very nice.
                  >
                  > --
                  > Simple things make people happy.
                  > Willy De la Court
                  > PGP Public Key at http://www.linux-lovers.be/download/public_key.asc
                  > PGP Key fingerprint = 784E E18F 7F85 9C7C AC1A D5FB FE08 686C 37C7 A689
                  > GMail <wdl1908@...>
                  >
                • mouss
                  ... if it depends on client, helo, sender or recipient, then you can use restriction classes.
                  Message 8 of 14 , Aug 2, 2009
                  • 0 Attachment
                    Charles Sprickman a écrit :
                    > On Sun, 2 Aug 2009, Willy De la Court wrote:
                    >
                    >> On Sun, 02 Aug 2009 11:24:17 +0100, Clunk Werclick
                    >> <clunk.werclick@...> wrote:
                    > [snip]
                    >>> reject_rbl_client no-more-funn.moensted.dk
                    >>> reject_rbl_client bl.spamcop.net
                    >>> reject_rbl_client dnsbl-1.uceprotect.net
                    >>> reject_rbl_client dnsbl-2.uceprotect.net
                    >>> reject_rbl_client dnsbl-3.uceprotect.net
                    >>> reject_rbl_client dnsbl.sorbs.net
                    >>> reject_rbl_client bl.spamcannibal.org
                    >>> reject_rbl_client spam.dnsbl.sorbs.net
                    >>> reject_rbl_client zen.spamhaus.org
                    >>> reject_rbl_client b.barracudacentral.org
                    >>> permit
                    >> [SNIP]
                    >>
                    >> wow a lot of rbls. I used to use some of these but got a lot of
                    >> complaints
                    >> so i'm sticking with just spamcop and spamhaus.
                    >
                    > I'm still figuring things out, and have not really went very deep into
                    > spam prevention at this point. My question about the rbl rejects at the
                    > smtp level is whether it's possible to only apply this to certain
                    > domains/accounts without resorting ot using a policy daemon. I'm
                    > guessing no, but that may just be my old qmail pessimism. :)
                    >

                    if it depends on client, helo, sender or recipient, then you can use
                    restriction classes.
                  • Clunk Werclick
                    ... A dirty little Perl script + cron. -- ... C Werclick .Lot Technical incompetent Loyal Order Of The Teapot. This e-mail and its attachments is intended only
                    Message 9 of 14 , Aug 2, 2009
                    • 0 Attachment
                      On Sun, 2009-08-02 at 17:04 -0400, Jon wrote:
                      > Clunk Werclick wrote:
                      > >
                      > > ************************
                      > > PRE DNSBL 321
                      > > ........................
                      > > NO PTR 201
                      > > SPOOFING 120
                      > > RELAY ATTEMPTS 0
                      > > BLOCKED OTHER 0
                      > > WHITELISTED 4
                      > > ************************
                      > > BLOCKED DNSBL 287
                      > > ........................
                      > >
                      >
                      > What tools are you using to generate your counts and get your output
                      > presented this way?
                      A dirty little Perl script + cron.
                      --
                      -----------------------------------------------------------
                      C Werclick .Lot
                      Technical incompetent
                      Loyal Order Of The Teapot.

                      This e-mail and its attachments is intended only to be used as an e-mail
                      and an attachment. Any use of it for other purposes other than as an
                      e-mail and an attachment will not be covered by any warranty that may or
                      may not form part of this e-mail and attachment.
                    • Willy De la Court
                      ... The logwatch package can do something similar. See example below. I stripped out some sections with sensitive information but you get the idea. ... ******
                      Message 10 of 14 , Aug 2, 2009
                      • 0 Attachment
                        On Sun, 02 Aug 2009 17:04:17 -0400, Jon <jon_k@...> wrote:
                        > Clunk Werclick wrote:
                        >>
                        >> ************************
                        >> PRE DNSBL 321
                        >> ........................
                        >> NO PTR 201
                        >> SPOOFING 120
                        >> RELAY ATTEMPTS 0
                        >> BLOCKED OTHER 0
                        >> WHITELISTED 4
                        >> ************************
                        >> BLOCKED DNSBL 287
                        >> ........................
                        >>
                        >
                        > What tools are you using to generate your counts and get your output
                        > presented this way?

                        The logwatch package can do something similar.

                        See example below. I stripped out some sections with sensitive information
                        but you get the idea.

                        --------------------- Postfix Begin (detail=5) ------------------------

                        ****** Summary
                        *************************************************************************************

                        28.893M Bytes accepted 30,296,112
                        4.471M Bytes sent via SMTP 4,687,715
                        25.310M Bytes delivered 26,538,982
                        ======== ================================================

                        370 Accepted 1.79%
                        20326 Rejected 98.21%
                        -------- ------------------------------------------------
                        20696 Total 100.00%
                        ======== ================================================

                        124 5xx Reject relay denied 0.61%
                        5423 5xx Reject HELO/EHLO 26.68%
                        154 5xx Reject unknown user 0.76%
                        14625 5xx Reject RBL 71.95%
                        -------- ------------------------------------------------
                        20326 Total 5xx Rejects 100.00%
                        ======== ================================================

                        20 4xx Reject HELO/EHLO 2.11%
                        2 4xx Reject unknown user 0.21%
                        102 4xx Reject recipient address 10.75%
                        648 4xx Reject sender address 68.28%
                        158 4xx Reject unknown reverse client host 16.65%
                        19 4xx Reject RBL 2.00%
                        -------- ------------------------------------------------
                        949 Total 4xx Rejects 100.00%
                        ======== ================================================

                        14952 Connections made
                        5149 Connections lost (inbound)
                        14947 Disconnections
                        368 Removed from queue
                        334 Delivered
                        127 Sent via SMTP
                        10 Resent
                        2 Deferred
                        2 Deferrals
                        2 Bounced (remote)
                        2 Notifications sent

                        45 Timeout (inbound)
                        23 Illegal address syntax in SMTP command
                        56 Numeric hostname
                        7 SMTP dialog error
                        106 Excessive errors in SMTP dialog
                        3071 Hostname verification errors
                        1 Hostname validation errors


                        ****** Detail
                        **************************************************************************************

                        124 5xx Reject relay denied
                        -----------------------------------------------------------------
                        20 81.192.186.79 adsl-79-186-192-81.adsl.iam.net.ma
                        20 85.181.161.97 e181161097.adsl.alicedsl.de
                        20 95.110.96.169 g95-110-96-169.broadband.bashtel.ru
                        20 190.48.158.110 unknown
                        20 201.80.36.14 unknown
                        20 202.142.223.169 unknown
                        2 83.36.234.113 113.red-83-36-234.dynamicip.rima-tde.net
                        2 90.176.249.58 58.249.broadband9.iol.cz

                        5423 5xx Reject HELO/EHLO
                        --------------------------------------------------------------------
                        5423 Need fully-qualified hostname

                        154 5xx Reject unknown user
                        -----------------------------------------------------------------
                        154 Virtual mailbox table

                        14625 5xx Reject RBL
                        --------------------------------------------------------------------------
                        7959 bl.spamcop.net
                        6666 zen.spamhaus.org

                        20 4xx Reject HELO/EHLO
                        --------------------------------------------------------------------
                        20 Need fully-qualified hostname

                        2 4xx Reject unknown user
                        -----------------------------------------------------------------
                        2 Virtual mailbox table

                        102 4xx Reject recipient address
                        ------------------------------------------------------------

                        648 4xx Reject sender address
                        ---------------------------------------------------------------
                        648 Domain not found

                        5149 Connections lost (inbound)
                        --------------------------------------------------------------
                        3274 After DATA
                        1532 After RCPT
                        261 After CONNECT
                        26 After MAIL
                        26 After QUIT
                        15 After HELO
                        12 After EHLO
                        2 After UNKNOWN
                        1 After RSET

                        2 Deferrals
                        -------------------------------------------------------------------------------
                        2 4.1.1: Transient failure: Addressing status: Bad
                        destination mailbox address

                        2 Bounced (remote)
                        ------------------------------------------------------------------------
                        2 5.1.1: Permanent failure: Addressing status: Bad
                        destination mailbox address

                        2 Notifications sent
                        ----------------------------------------------------------------------
                        2 Non-delivery

                        45 Timeout (inbound)
                        -----------------------------------------------------------------------
                        16 After CONNECT
                        8 After RCPT
                        7 After DATA
                        7 After MAIL
                        5 After EHLO
                        2 After HELO

                        23 Illegal address syntax in SMTP command
                        --------------------------------------------------
                        23 MAIL

                        56 Numeric hostname
                        ------------------------------------------------------------------------
                        44 Resource data of MX record
                        12 Hostname

                        7 SMTP dialog error
                        -----------------------------------------------------------------------
                        7 Non-SMTP command

                        106 Excessive errors in SMTP dialog
                        ---------------------------------------------------------
                        81 After RCPT
                        25 After DATA

                        3071 Hostname verification errors
                        ------------------------------------------------------------
                        2851 No address associated with hostname
                        220 Address not listed for hostname

                        1 Hostname validation errors
                        --------------------------------------------------------------
                        1 misplaced delimiter: .



                        ======================================================================================================================
                        Delays Percentiles 0% 25% 50% 75%
                        90% 95% 98% 100%

                        ----------------------------------------------------------------------------------------------------------------------
                        1: Pre qmgr 0.000 0.020 0.050 0.250
                        0.542 0.988 1.400 522.000
                        2: In qmgr 0.000 0.000 0.000 0.010
                        0.010 0.010 0.010 0.020
                        3: Connection setup 0.000 0.000 0.000 0.080
                        0.180 0.280 0.487 2.700
                        4: Xmit time 0.010 0.050 0.230 0.570
                        1.200 1.680 3.092 4.300

                        ======================================================================================================================

                        ---------------------- Postfix End -------------------------



                        --
                        Simple things make people happy.
                        Willy De la Court
                        PGP Public Key at http://www.linux-lovers.be/download/public_key.asc
                        PGP Key fingerprint = 784E E18F 7F85 9C7C AC1A D5FB FE08 686C 37C7 A689
                      • Clunk Werclick
                        ... Yes, I use that too - but I like a quick summary on demand. -- ... C Werclick .Lot Technical incompetent Loyal Order Of The Teapot. This e-mail and its
                        Message 11 of 14 , Aug 2, 2009
                        • 0 Attachment
                          On Mon, 2009-08-03 at 08:29 +0200, Willy De la Court wrote:
                          > On Sun, 02 Aug 2009 17:04:17 -0400, Jon <jon_k@...> wrote:
                          > > Clunk Werclick wrote:
                          > >>
                          > >> ************************
                          > >> PRE DNSBL 321
                          > >> ........................
                          > >> NO PTR 201
                          > >> SPOOFING 120
                          > >> RELAY ATTEMPTS 0
                          > >> BLOCKED OTHER 0
                          > >> WHITELISTED 4
                          > >> ************************
                          > >> BLOCKED DNSBL 287
                          > >> ........................
                          > >>
                          > >
                          > > What tools are you using to generate your counts and get your output
                          > > presented this way?
                          >
                          > The logwatch package can do something similar.
                          >
                          > See example below. I stripped out some sections with sensitive information
                          > but you get the idea.
                          >
                          > --------------------- Postfix Begin (detail=5) ------------------------
                          >
                          > ****** Summary
                          > *************************************************************************************
                          >
                          > 28.893M Bytes accepted 30,296,112
                          > 4.471M Bytes sent via SMTP 4,687,715
                          > 25.310M Bytes delivered 26,538,982
                          > ======== ================================================
                          >
                          > 370 Accepted 1.79%
                          > 20326 Rejected 98.21%
                          > -------- ------------------------------------------------
                          > 20696 Total 100.00%
                          > ======== ================================================
                          >
                          > 124 5xx Reject relay denied 0.61%
                          > 5423 5xx Reject HELO/EHLO 26.68%
                          > 154 5xx Reject unknown user 0.76%
                          > 14625 5xx Reject RBL 71.95%
                          > -------- ------------------------------------------------
                          > 20326 Total 5xx Rejects 100.00%
                          > ======== ================================================
                          >
                          > 20 4xx Reject HELO/EHLO 2.11%
                          > 2 4xx Reject unknown user 0.21%
                          > 102 4xx Reject recipient address 10.75%
                          > 648 4xx Reject sender address 68.28%
                          > 158 4xx Reject unknown reverse client host 16.65%
                          > 19 4xx Reject RBL 2.00%
                          > -------- ------------------------------------------------
                          > 949 Total 4xx Rejects 100.00%
                          > ======== ================================================
                          >
                          > 14952 Connections made
                          > 5149 Connections lost (inbound)
                          > 14947 Disconnections
                          > 368 Removed from queue
                          > 334 Delivered
                          > 127 Sent via SMTP
                          > 10 Resent
                          > 2 Deferred
                          > 2 Deferrals
                          > 2 Bounced (remote)
                          > 2 Notifications sent
                          >
                          > 45 Timeout (inbound)
                          > 23 Illegal address syntax in SMTP command
                          > 56 Numeric hostname
                          > 7 SMTP dialog error
                          > 106 Excessive errors in SMTP dialog
                          > 3071 Hostname verification errors
                          > 1 Hostname validation errors
                          >
                          >
                          > ****** Detail
                          > **************************************************************************************
                          >
                          > 124 5xx Reject relay denied
                          > -----------------------------------------------------------------
                          > 20 81.192.186.79 adsl-79-186-192-81.adsl.iam.net.ma
                          > 20 85.181.161.97 e181161097.adsl.alicedsl.de
                          > 20 95.110.96.169 g95-110-96-169.broadband.bashtel.ru
                          > 20 190.48.158.110 unknown
                          > 20 201.80.36.14 unknown
                          > 20 202.142.223.169 unknown
                          > 2 83.36.234.113 113.red-83-36-234.dynamicip.rima-tde.net
                          > 2 90.176.249.58 58.249.broadband9.iol.cz
                          >
                          > 5423 5xx Reject HELO/EHLO
                          > --------------------------------------------------------------------
                          > 5423 Need fully-qualified hostname
                          >
                          > 154 5xx Reject unknown user
                          > -----------------------------------------------------------------
                          > 154 Virtual mailbox table
                          >
                          > 14625 5xx Reject RBL
                          > --------------------------------------------------------------------------
                          > 7959 bl.spamcop.net
                          > 6666 zen.spamhaus.org
                          >
                          > 20 4xx Reject HELO/EHLO
                          > --------------------------------------------------------------------
                          > 20 Need fully-qualified hostname
                          >
                          > 2 4xx Reject unknown user
                          > -----------------------------------------------------------------
                          > 2 Virtual mailbox table
                          >
                          > 102 4xx Reject recipient address
                          > ------------------------------------------------------------
                          >
                          > 648 4xx Reject sender address
                          > ---------------------------------------------------------------
                          > 648 Domain not found
                          >
                          > 5149 Connections lost (inbound)
                          > --------------------------------------------------------------
                          > 3274 After DATA
                          > 1532 After RCPT
                          > 261 After CONNECT
                          > 26 After MAIL
                          > 26 After QUIT
                          > 15 After HELO
                          > 12 After EHLO
                          > 2 After UNKNOWN
                          > 1 After RSET
                          >
                          > 2 Deferrals
                          > -------------------------------------------------------------------------------
                          > 2 4.1.1: Transient failure: Addressing status: Bad
                          > destination mailbox address
                          >
                          > 2 Bounced (remote)
                          > ------------------------------------------------------------------------
                          > 2 5.1.1: Permanent failure: Addressing status: Bad
                          > destination mailbox address
                          >
                          > 2 Notifications sent
                          > ----------------------------------------------------------------------
                          > 2 Non-delivery
                          >
                          > 45 Timeout (inbound)
                          > -----------------------------------------------------------------------
                          > 16 After CONNECT
                          > 8 After RCPT
                          > 7 After DATA
                          > 7 After MAIL
                          > 5 After EHLO
                          > 2 After HELO
                          >
                          > 23 Illegal address syntax in SMTP command
                          > --------------------------------------------------
                          > 23 MAIL
                          >
                          > 56 Numeric hostname
                          > ------------------------------------------------------------------------
                          > 44 Resource data of MX record
                          > 12 Hostname
                          >
                          > 7 SMTP dialog error
                          > -----------------------------------------------------------------------
                          > 7 Non-SMTP command
                          >
                          > 106 Excessive errors in SMTP dialog
                          > ---------------------------------------------------------
                          > 81 After RCPT
                          > 25 After DATA
                          >
                          > 3071 Hostname verification errors
                          > ------------------------------------------------------------
                          > 2851 No address associated with hostname
                          > 220 Address not listed for hostname
                          >
                          > 1 Hostname validation errors
                          > --------------------------------------------------------------
                          > 1 misplaced delimiter: .
                          >
                          >
                          >
                          > ======================================================================================================================
                          > Delays Percentiles 0% 25% 50% 75%
                          > 90% 95% 98% 100%
                          >
                          > ----------------------------------------------------------------------------------------------------------------------
                          > 1: Pre qmgr 0.000 0.020 0.050 0.250
                          > 0.542 0.988 1.400 522.000
                          > 2: In qmgr 0.000 0.000 0.000 0.010
                          > 0.010 0.010 0.010 0.020
                          > 3: Connection setup 0.000 0.000 0.000 0.080
                          > 0.180 0.280 0.487 2.700
                          > 4: Xmit time 0.010 0.050 0.230 0.570
                          > 1.200 1.680 3.092 4.300
                          >
                          > ======================================================================================================================
                          >
                          > ---------------------- Postfix End -------------------------
                          >
                          >
                          Yes, I use that too - but I like a quick summary on demand.

                          --
                          -----------------------------------------------------------
                          C Werclick .Lot
                          Technical incompetent
                          Loyal Order Of The Teapot.

                          This e-mail and its attachments is intended only to be used as an e-mail
                          and an attachment. Any use of it for other purposes other than as an
                          e-mail and an attachment will not be covered by any warranty that may or
                          may not form part of this e-mail and attachment.
                        • Thomas
                          Hey, [..] ... See: You can use the scripts _without_ logwatch and get an instant summary of your mail.log. Cheers,
                          Message 12 of 14 , Aug 2, 2009
                          • 0 Attachment
                            Hey,

                            [..]
                            > Yes, I use that too - but I like a quick summary on demand.
                            See: <http://www.mikecappella.com/logwatch/>
                            You can use the scripts _without_ logwatch and get an instant summary of
                            your mail.log.

                            Cheers,
                            Thomas
                          • Clunk Werclick
                            ... Indeed it does and that is interesting, thank you. My long term goal is to get my Perl to log, in single line; DATE/TIME INBOUND/OUTBOUND TO FROM SUBJECT
                            Message 13 of 14 , Aug 3, 2009
                            • 0 Attachment
                              On Mon, 2009-08-03 at 16:52 +1000, Thomas wrote:
                              > Hey,
                              >
                              > [..]
                              > > Yes, I use that too - but I like a quick summary on demand.
                              > See: <http://www.mikecappella.com/logwatch/>
                              > You can use the scripts _without_ logwatch and get an instant summary of
                              > your mail.log.
                              >
                              > Cheers,
                              > Thomas
                              Indeed it does and that is interesting, thank you. My long term goal is
                              to get my Perl to log, in single line;

                              DATE/TIME INBOUND/OUTBOUND TO FROM SUBJECT SPAM SCORE IP

                              That is what I really would like to be able to do - but so far I do not
                              find a way that is easy or straightforward to bring all of this
                              information together in a single 'delivered' log. Rejected or dropped
                              mail is straightforward, but delivered mail seems to be harder to cobble
                              something together to give it, how do you say, 'the inside leg
                              measurements' ?

                              --
                              -----------------------------------------------------------
                              C Werclick .Lot
                              Technical incompetent
                              Loyal Order Of The Teapot.

                              This e-mail and its attachments is intended only to be used as an e-mail
                              and an attachment. Any use of it for other purposes other than as an
                              e-mail and an attachment will not be covered by any warranty that may or
                              may not form part of this e-mail and attachment.
                            Your message has been successfully submitted and would be delivered to recipients shortly.