I am doing this with the syslogd server using the Kiwi product. It emails me when something suspicious is happenin'.
Mike > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of Len Conrad > Sent: Friday, February 22, 2002 10:09 AM > To: [EMAIL PROTECTED] > Subject: Re: [IMail Forum] log file analyzer? > > > > >I have created a program that will count text strings in the > text file. If > >I count the "MAIL From"'s and the "RCPT TO"'s will this tell me how many > >messages are being sent within a vertain time period? Will there be one > >"MAIL From" for every "RCPT TO"? Or, if one user sends 100 emails, will > >there be one "MAIL From" and 100 "RCPT TO"'s? I have a feeling > that a few > >people are sending bulk emails, but how can I tell? > > the key accounting lines are the *deliver lines. all you need is > in there. > > >Thanks to anyone who can help! Any if anyone needs the text > counter program > >I have, you are welcome to it, just let me know. > > I use grep + cut + bash from GNU utils for Win32. PERL can do the same. > > What's needed is an "SMTP attack detection" routine than runs every 30 > minutes and totes up the messages sent and received and rejected for the > last 30 minutes, and compares against a running, mult-hour > average. If one > of the totals is too high, raise an alert. > > Len > > > Please visit http://www.ipswitch.com/support/mailing-lists.html > to be removed from this list. > > An Archive of this list is available at: > http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ > Please visit http://www.ipswitch.com/support/mailing-lists.html to be removed from this list. An Archive of this list is available at: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
