Hey all, I'm looking for a way that I can report multiple hits from the same ip address, and cause them to be blacklisted/drop/reported to the appropriate abuse department/fed to an RBL. Right now I've got a start at running: cat greylist.db | cut -f 1 | sort | uniq -c | sort -nr | more To get an idea of which ip addresses are "high rollers". Before I get into writing a full "reporting" system, I've encountered a couple problems with this logic. First, I can only addresses in the dumpDB, so I'm limited by the dump interval. This would be a lot easier if there was some other (realtime) DB backend for the greylist.db Secondly, (obviously) I can only check up on those addresses which are being greylisted. I was working with one of the spamassassin devel's on a SA plugin that does a similar thing. I was wondering if anyone else had done anything useful with this data and/or what youhad to share? -Dan -- "Ca. Tas. Tro. Phy." -John Smedley, March 28th 1998, 3AM --------Dan Mahoney-------- Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org ---------------------------
Message
Reporting Multiple Hits?
2007-12-26 by Dan Mahoney, System Admin