Milter-greylist

Hey all,

I'm looking for a way that I can report multiple hits from the same ip 
address, and cause them to be blacklisted/drop/reported to the 
appropriate abuse department/fed to an RBL.

Right now I've got a start at running:

cat greylist.db | cut -f 1 | sort | uniq -c | sort -nr | more

To get an idea of which ip addresses are "high rollers".

Before I get into writing a full "reporting" system, I've encountered a 
couple problems with this logic.

First, I can only addresses in the dumpDB, so I'm limited by the dump 
interval.  This would be a lot easier if there was some other (realtime) 
DB backend for the greylist.db

Secondly, (obviously) I can only check up on those addresses which are 
being greylisted.  I was working with one of the spamassassin devel's on a 
SA plugin that does a similar thing.

I was wondering if anyone else had done anything useful with this data 
and/or what youhad to share?

-Dan

--

"Ca. Tas. Tro. Phy."

-John Smedley, March 28th 1998, 3AM

--------Dan Mahoney--------
Techie,  Sysadmin,  WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144   AIM: LarpGM
Site:  http://www.gushi.org
---------------------------

Dan Mahoney, System Admin <danm@...> wrote:

> First, I can only addresses in the dumpDB, so I'm limited by the dump
> interval.  This would be a lot easier if there was some other (realtime)
> DB backend for the greylist.db

I was thinking about reusing for MX sync protocol for real-time
monitoring. We could just connect to a localhost TCP port, send a
command, and have the database add and delete operation flowing in real
time.

> Secondly, (obviously) I can only check up on those addresses which are
> being greylisted.  I was working with one of the spamassassin devel's on a
> SA plugin that does a similar thing.

Currently, the database works with two kind of entries, which are
differenciated with a tag at the end of the line:
greylist entries, with no tag
autowhitelist entries, with the AUTO tag.

Perhaps we could store more stuff there, using other tags. I have not
thought of the config syntax for such a thing, though. 

-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@...

Dan Mahoney, System Admin <danm@...> wrote:

> Secondly, (obviously) I can only check up on those addresses which are
> being greylisted.  I was working with one of the spamassassin devel's on a
> SA plugin that does a similar thing.

Have you tried the stat configuration option? It allows you to get a
custom feed of milter-greylist activity, sent in a file or in a pipe.

-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@...