Hi Eric, Am 20.10.2008 20:01 Uhr, Eric Shubert schrieb: > BTW, couldn't the script simply test for "@" in the first position of > any line to determine that it's not a syslog, so the flag wouldn't be > necessary? Seems simpler to me. This was done to avoid a performance hit of about 20% caused by the more complex regex. However I've now rewritten the detection code, so it's much faster, so the attached version no longer needs (or supports) the --(no)syslog switch.
> > -- -Eric 'shubes' -- Felix
#!/usr/bin/perl -w # build 2008102106 use diagnostics; use strict; use Getopt::Long; my $tldtop = 0; my $detailed = 1; my $syslog = 1; GetOptions ( "tld=i" => \$tldtop, "detail!" => \$detailed ) or exit 1; # Usage: # cat /var/log/qmail/smtpd/current | ./this_file my %status = (); # hash of status connections my %origin = (); # hash of tld per status code my %originsum = (); # hash of tld per status code sums my %rblstat = (); # hash of DNSBL lists matched my %rhsblstat = (); # hash of RHSBL lists matched my %rdnsblstat = (); # hash of patterns in IP_IN_RDNS_BLACKLIST matched my ($allow, $deny, $error, $allowpercentage, $errorpercentage, $spampercentage, $sum, $rblsum, $rhsblsum, $rdnsblsum); while(<>){ # Oct 21 05:11:11 h1423590 spamdyke[12904]: DENIED_SENDER_NO_MX # @4000000048fa5dfc34b1ebec DENIED_SENDER_NO_MX if( substr($_,0,1) eq '@' ) { $_ = substr $_,26; } else { my ($month,$day,$time,$hostname,$id,$line) = split / /, $_, 6; next unless substr($id,0,9) eq 'spamdyke['; $_ = $line; } if( m/^(ALLOWED|ERROR|TIMEOUT|((DENIED|FILTER)_[^ ]+))/ ) { my $line = substr $_,length $1; #my $sdstatus = $1; $_ = $1; if( m/FILTER_RBL_MATCH/ ){ $line =~ m/rbl: (\S+)/; $rblstat{$1}++; $rblsum++; } elsif( m/FILTER_RHSBL_MATCH/ ){ $line =~ m/rhsbl: (\S+)/; $rhsblstat{$1}++; $rhsblsum++; } elsif( m/FILTER_IP_IN_RDNS_BLACKLIST/ ){ $line =~ m/keyword: (\S+)/; $rdnsblstat{$1}++; $rdnsblsum++; } next if m/^FILTER_/; $status{$_}++; if($tldtop and $line =~ m/ origin_rdns: ([^ ]+)/) { my $rdns = $1; $originsum{$_}++; if($rdns =~ m/^\(unknown\)$/){ #$origin{$_}{'unknown'}++; next; } elsif($rdns =~ m/\.(com|net)$/){ $origin{$_}{$1}++; } elsif($rdns =~ m/\.([a-z]{2,2}\.[a-z]{2,2})$/){ # co.uk $origin{$_}{$1}++; } elsif($rdns =~ m/\.([a-z]{2,})$/){ # de, ru, ... $origin{$_}{$1}++ } else { #$origin{$_}{'unknown'}++; next; } } } } $allow = 0; $deny = 0; $error = 0; foreach my $stat (sort keys %status){ if( $stat =~ m/ALLOWED/ ){ $allow = $status{$stat}; } elsif( $stat =~ m/TIMEOUT|ERROR/ ){ $error += $status{$stat}; } else{ $deny += $status{$stat}; } } my $aed_sum = $allow+$error+$deny; if($aed_sum > 0) { $spampercentage = sprintf("%2.2f", ($deny/($aed_sum)*100) ); $errorpercentage = sprintf("%2.2f", ($error/($aed_sum)*100) ); $allowpercentage = sprintf("%2.2f", ($allow/($aed_sum)*100) ); } else { $spampercentage = $errorpercentage = $allowpercentage = sprintf("%2.2f", 0); } foreach my $key (sort { $status{$b} <=> $status{$a} || $a cmp $b; } keys %status){ print "$status{$key}\t$key\n"; if($detailed and $key eq "DENIED_RBL_MATCH" ){ print "-- Breakdown --\n"; foreach my $key (sort { $rblstat{$b} <=> $rblstat{$a} || $a cmp $b; } keys %rblstat){ printf "%2.2f%%\t$key\n", ($rblstat{$key}/$rblsum*100); } print "---------------\n"; } elsif($detailed and $key eq "DENIED_RHSBL_MATCH" ){ print "-- Breakdown --\n"; foreach my $key (sort { $rhsblstat{$b} <=> $rblstat{$a} || $a cmp $b; } keys %rhsblstat){ printf "%2.2f%%\t$key\n", ($rhsblstat{$key}/$rhsblsum*100); } print "---------------\n"; } elsif($detailed and $key eq "DENIED_IP_IN_RDNS" ){ print "-- Breakdown --\n"; foreach my $key (sort { $rdnsblstat{$b} <=> $rdnsblstat{$a} || $a cmp $b; } keys %rdnsblstat){ printf "%2.2f%%\t$key\n", ($rdnsblstat{$key}/$rdnsblsum*100); } print "---------------\n"; } if($tldtop && $origin{$key}) { my $top = $tldtop; print "-- Top $top TLD --\n"; my $tldsum = 0; my $lastsum = 0; my @tldgroup = (); my %neworigin = (); foreach my $tld (sort { $origin{$key}{$a} <=> $origin{$key}{$b} } keys %{$origin{$key}}){ if(($origin{$key}{$tld}/$originsum{$key}*100) == $lastsum) { #print "push tldgroup, $tld ($origin{$key}{$tld})\n"; push(@tldgroup, $tld); } else { if(scalar @tldgroup) { $neworigin{join(', ', @tldgroup)} = $lastsum; #print "tldgroup=". join(', ', @tldgroup) ." ($lastsum)\n"; @tldgroup = (); } #print "push tldgroup, $tld ($origin{$key}{$tld})\n"; push(@tldgroup, $tld); } $lastsum = $origin{$key}{$tld}/$originsum{$key}*100; $tldsum += $origin{$key}{$tld}; } if(scalar @tldgroup) { $neworigin{join(', ', @tldgroup)} = $lastsum * length @tldgroup; #print "tldgroup=". join(', ', @tldgroup) ." ($lastsum)\n"; } foreach my $tld (sort { $neworigin{$b} <=> $neworigin{$a} } keys %neworigin){ printf "%2.2f%%\t$tld\n", $neworigin{$tld}; last unless --$top; } #printf "%2.2f%%\t(unknown/illegal)\n", (($originsum{$key}-$tldsum)/$originsum{$key}*100) if $tldsum && ($originsum{$key}-$tldsum); print "------------\n"; } } $sum = ($deny + $error + $allow); print "\n"; print "Allowed: $allow \n"; print "Denied : $deny \n"; print "Errors : $error \n"; print "Total : $sum \n"; print "% Valid: $allowpercentage% \n"; print "% Spam : $spampercentage% \n"; print "% Error: $errorpercentage% \n";
_______________________________________________ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users