Re: [policyd-users] cleanup limits to 100000 entries

Sun, 07 Oct 2007 17:26:21 -0700

I use MailScanner <http://www.mailscanner.info>+ MailWatch <http://mailwatch.sourceforge.net/doku.php> for content scanning, and mailwatch has the ability to logs the result to mysql database. I run a daily script which grep top 3 sender IP address which sent us an email with SA score less than -2 and force feed these IP addresses to policyd whitelist table.
mysql> select clientip as ip , count(clientip) as count FROM maillog3 WHERE sascore < '-2' GROUP BY ip ORDER BY count desc LIMIT 3; 
+----------------+-------+
| ip             | count |
+----------------+-------+
| 204.15.11.13   |    60 |
| 208.250.48.77  |    37 |
| 208.250.48.167 |    36 |
+----------------+-------+
3 rows in set (5.33 sec)


For Reverse DNS based whitelist I do not have automatic script.
It was just my observation from 6 months worth of logs.

Regards,
Rianto Wahyudi

--- adela putri tirta belek









Voytek Eymont wrote:

<quote who="R Wahyudi">


I think the holy grail of effective greylisting is whitelisting!  and I
think this is the cheapest and the most effective technique. We used to
have our policyd database on 2x2.8Ghz xeon with 4gb ram and we did cleanup
every night which took around 30 to 50 minutes to complete.

Since we implement following whitelist_dns we manage to whitelist 85% of
proper mail server. The number of triplet and helo data dropped
drastically. We were able to downgrade policyd database to old server and
use the newer server to do content scanning.


Rianto,


how did you create your whiltelist, is it like 'top 20' domains from
triplet and halo ?

even though I only have a rather small mail server, I always like to
optimize where possible;




-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
policyd-users mailing list
policyd-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/policyd-users

Reply via email to