There's a collection of Unix utilities that run under Windows that includes grep.
and uniq, tr, a better sort than windows sort, etc, etc.
http://unxutils.sourceforge.net/
You can also install Cygwin.
..... a much bigger, confusing job for windows-only people, but you do get a real command shell.
From my earlier posts in this forum:
(all commands are on one line)
Here's one that will output to a file all the IPs that connected to your Imail today more than 50 times (wraps)
gawk "/SMTPD.*connect/ {print $4}" sys1025.txt | tr -d "\[\]" | c:\winnt\system32\unixsort.exe -f | uniq -ic | gawk "{if ( $1 > 50 ) print $2 ) }" > /path/to/mta_clients_toomanyconnects.txt.
which says:
1. match line containing SMTPD.*connect in log file sys1025.txt
hint: to speed the matching, esp on very large log files, and for scripts that run frequently, pad the string out to the point where you get the log lines sought, eg:
01:11 00:00 SMTPD(75E4011C) [212.73.210.73] connect 212.73.210.91 port 2364
.. would have this match string:
"^..:.. ..:.. SMTPD"
.... which would allow the regex processing to discard rapidly all lines that didn't start with "xx:xx xx:xx SMTPD", so (POP/IMAP/SMTP- )and avoid searching
2. output field 4 (the IP connecting to Imail)
3. translate -delete the characters [ and ] (strip 'em)
4. sort using gnu sort (renamed because Win32 protects its native file sort.exe which doesn't pipe worth a [EMAIL PROTECTED])
5. output unique values -counting the lines per value
6. if the count of connects to Imail is more than 50, output/append the IP to my ACL file that blocks by MTA ip address.
and you can run this hour:58 so that you select also using the hour:minute field and reduce the threshold per day of 500 to 50 per this hour.
What if you are getting hit from a number of different IPs in the same class C and want to block the entire class C ?? (collateral damage is wonderful, aka pre-emptive blocking, is strongly recommended).
gawk "/SMTPD.*connect/ {print $4}" sys1025.txt | tr -d "\[\]" | unixsort.exe -f | cut -d "." -f1-3 | uniq -ic | gawk "{if ( $1 > 10 ) print $2 ) }" >> /path/to/mta_clients_toomanyconnects.txt.
The new filter using the cut command works on IP address to -delimit the fields of the record with "." and selects -field 1 to 3 , if "A.B.C" has more than 10 connects, output put .
trying to catch a spammer sending from Imail with forged [EMAIL PROTECTED] ? Make a file mydomains.txt of all your Imail domains (for Imail 6 log file)
gawk "/rdeliver/ {print $8} " sys1025.txt | tr -d "\<\>]" | egrep -ivf mydomains.txt | unixsort.exe -f | uniq -ic | unixsort -rfn | less
1. select all the log lines for remote_delivery
2. output field8, the envelope "mail from:"
3. strip the left-tit and right-tit symbols
4. filter out [EMAIL PROTECTED] that doesn't contain mydomains
5. sort
6. uniq with -counting
7. sort -reverse order (so the most frequent [EMAIL PROTECTED] are at the top of the list)
8. use the file viewer "less" to page through the output
Trying to catch a user sending way too many msgs but using one of your IMail domains as envelope sender? just remove the "v" in the egrep filter (inVert).
gawk "/SMTPD.*connect/ {print $6}" sys1025.txt | tr -d "\[\]" | unixsort.exe -f | uniq -ic | gawk "{if ( $1 > 50 ) print $2}"
... you see more IPs by reducing the 50 threshold to smaller number
For Class C's connecting to Imail:
gawk "/SMTPD.*connect/ {print $6}" sys1025.txt | tr -d "\[\]" |
unixsort.exe -f | cut -d "." -f1-3 | uniq -ic | gawk "{if ( $1 > 10 ) print $2}"
======================
windows' sort.exe is "protected" so copying the gnu utils sort.exe into system32\ to get all the tools onto your system path won't overwrite win's unix.exe, so rename gnu sort.exe to unixsort.exe or usort.exe before copying it.
Since the targeted task is real pain with Imail logging, I mention that IMGate/postfix has a bcc function like IMail, but it also has per-domain and per-sender and per-recipient bcc, so you don't have to "copy all" and then filter/discard 99% of it, doubling the SMTP traffic, but only bcc the per-domain and/or per-localpart msgs of interest.
Len
_____________________________________________________________________ http://IMGate.MEIway.com : free anti-spam gateway, runs on 1000's of sites
To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
