|
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
|
[PLUG] Exchange and postfix (next meeting topic)
|
All,
Hi. I'm doing this in a production environment.
Postfix/Amavid-new/SpamAssassin/Razor as a spam-filtering front-end to
exchange which sits inside.
One of the things I do every morning in a cron is to run the appended
script. It parses the mail logs on the postfix box looking for rejected
senders, spam senders and virus senders for every valid user configured
in postfix. It generates reports, and sends them out to everyone who had
hits. Works well here, and I thought others may like it as well. The top
needs to be modified to suit your environment, but everything is
variable-ized to allow portability.
Cheers,
Chris
PS watch for any line wrapping that may occur via email, and let know if
you like it.
# BEGIN SCRIPT
#!/bin/bash
#set -x
# cbarry@silverstorm.com
# mbrooks@silverstorm.com
# brute force log parser and spam report
#
# best when run @ 6:30 AM, after your mail.log rotates.
# this script parses the current mail.log, and the just rotated
# mail.log.0 (if these are what you configure). It looks in these
# logs for rejected senders, spam senders, and viruses, for every
# valid recipient on your system. If there are any entries in the
# logs for a valid recipient, she is sent the report. No hits,
# then no report.
# Requirements
# * postfix
# * amavisd
# * spamassassin
# * I'm running Debian, so your mail logs may be named differently
# setup section (modify these variables to suit your environment)
# email domain
alert_domain="silverstorm.com"
primary_domain="silverstorm.com"
domain_names="silverstorm.com infiniconsys.com infinicon.com"
# user list: in postfix, this would be the relay_recipients map
# it's format is:
# user@domain OK
recips_list="/etc/postfix/maps/relay_recipients"
# temp files
usertmp="/var/log/spam.tmp"
admintmp="/var/log/daily_admin_spam.report"
# administrator's email address
admin_email="sysadmin@${alert_domain}"
# support address
support="ITSupport@${alert_domain}"
# the mail log(s) to parse. make sure you're hitting the one that stuff
just got
# rotated to. Typically this means you need to run this script *after*
cron.daily
# rotates the logs. On Debian, this happens ~6:25AM every day.
logs="/var/log/mail.log /var/log/mail.log.0"
# Add users who do not want to get the report ever.
# to the opt_out list, separated by a pipe symbol.
# as in:
# opt_out='fjones|bbking|brubble|jlennon'
opt_out='fsmith|bdougles'
# program section (you shouldn't need to edit below here, except for
testing)
users=$(grep ${primary_domain} ${recips_list} | cut -d@ -f1)
# Use this userlist for testing (edit with your name, obviously!)
#users='bmaxwell cking'
# for testing...
#echo $users
#exit
# cleanup
[ -f ${usertmp} ] && rm ${usertmp}
[ -f ${admintmp} ] && rm ${admintmp}
# standard common report text
salutation="For the user or email list named: "
period="Report for the prior 24 hour period \\n"
overview="Below is a list of senders that were rejected by the
spamfilter. \\nScan the Senders column to see if it has any email
addresses you wish to allow. \\nIf so, please email
ITSupport@silverstorm.com with the address to allow.\\n"
rejected_hdr="\\nREJECTED SENDERS \\nDATE Rejected
Sender address\\n"
spam_hdr="\\nSPAM SENDERS \\nDATE Spam Sender
address \\n"
virus_hdr="\\nVIRUS SENDERS \\nDATE Virus Sender
address Virus Detected"
footer="\\n\\nTo stop getting this report, just click
this:\\nmailto:${support}?subject=Remove_me_from_Spam_Report_List
\\n...and press send. \\n"
function generate_grep_str ()
{
oIFS=${IFS}
IFS=' '
U=$1
grep_str=
for d in $(echo ${domain_names})
do
if [ "${grep_str}" == "" ]
then
local grep_str="${U}@${d}"
else
local grep_str="${grep_str}|${U}@${d}"
fi
done
echo -n "${grep_str}"
IFS=${oIFS}
}
oIFS=$IFS
nIFS='
'
for u in $users;
do
IFS=$oIFS
if [ "$(echo $u | egrep ${opt_out})" == "" ]
then
[ -f $usertmp ] && rm $usertmp 2>&1 >/dev/nul
echo "Processing $u..."
grep_str=$(generate_grep_str ${u})
echo grep_str: $grep_str
# egrep email domains to search for need to be modified to fit
your environment.
# rejected_data=$(cat $(echo ${logs}) | grep 'Sender address
rejected' | egrep
\'$u@silverstorm.com\|$u@infiniconsys.com\|$u@infinicon.com\' | awk '{
print $1" "$2" "$3" "$19 }')
rejected_data=$(cat ${logs} | grep 'Sender address rejected' |
egrep "${grep_str}" | awk '{ print $1" "$2" "$3" "$19 }')
echo rejected: ${rejected_data}
# spam_data=$(cat $(echo ${logs}) | grep 'Blocked SPAM' | grep -v
LOCAL | egrep
\'$u@silverstorm.com\|$u@infiniconsys.com\|$u@infinicon.com\' | awk '{
print $1" "$2" "$3" "$11 }')
spam_data=$(cat $logs | grep 'Blocked SPAM' | grep -v LOCAL |
egrep ${grep_str} | awk '{ print $1" "$2" "$3" "$11 }')
echo spam: ${spam_data}
# spamlocal_data=$(cat $(echo ${logs}) | grep 'Blocked SPAM,
LOCAL' | egrep
\'$u@silverstorm.com\|$u@infiniconsys.com\|$u@infinicon.com\' | awk '{
print $1" "$2" "$3" "$12 }')
spamlocal_data=$(cat $logs | grep 'Blocked SPAM, LOCAL' | egrep
${grep_str} | awk '{ print $1" "$2" "$3" "$12 }')
echo spam local: ${spam_local}
raw_virus_data=$(cat $logs | grep 'Blocked INFECTED' | egrep
"${grep_str}")
echo raw_virus: $raw_virus_data
viruslocal_data=""
virus_jpeg_data=""
virus_data=""
# virus data
IFS=$nIFS
for l in $raw_virus_data
do
IFS=$oIFS
if [ "$(echo ${l} | awk '{ print $10 }')" == "LOCAL" ]
then
viruslocal_data="${viruslocal_data}"\\n$(echo ${l} |
awk '{ print $1" "$2" "$3" "$13" "$9 }')
echo viruslocal: $viruslocal_data
elif [ "$(echo ${l} | awk '{ print $10 }')" == "jpeg:" ]
then
virus_jpeg_data="${virus_jpeg_data}"\\n$(echo ${l} |
awk '{ print $1" "$2" "$3" "$20" "$9" "$10" "$11" "$12" "$13" "$14"
"$15" "$16" "$17 }')
echo virus_jpeg: $virus_jpeg_data
else
virus_data="${virus_data}"\\n$(echo ${l} | awk '{
print $1" "$2" "$3" "$12" "$9 }')
echo virus: $virus_data
fi
IFS=$nIFS
done
IFS=$oIFS
# Build report
# was any data returned?
if [ "${rejected_data}" != "" ] || [ "${spam_data}" != "" ] || [
"${spamlocal_data}" != "" ] || [ "${virus_data}" != "" ] || [
"${viruslocal_data}" != "" ];
then
echo -e "${salutation}${u},\\n" >$usertmp
echo -e "${period}" >>$usertmp
echo -e "${overview}" >>$usertmp
if [ "${rejected_data}" != "" ]
then
echo -e "${rejected_hdr}" >>$usertmp
echo "${rejected_data}" >>$usertmp
fi
if [ "${spam_data}" != "" ] || [ "${spamlocal_data}" != "" ]
then
echo -e "${spam_hdr}" >>$usertmp
if [ "${spam_data}" != "" ]
then
echo "${spam_data}" >>$usertmp
fi
if [ "${spamlocal_data}" != "" ]
then
echo "${spamlocal_data}" >>$usertmp
fi
fi
if [ "${virus_data}" != "" ] || [ "${viruslocal_data}" != ""
] || [ "${virus_jpeg_data}" != "" ]
then
echo -e "${virus_hdr}" >>$usertmp
if [ "${virus_data}" != "" ]
then
echo -e "${virus_data}" >>$usertmp
fi
if [ "${virus_jpeg_data}" != "" ]
then
echo -e "${virus_jpeg_data}" >>$usertmp
fi
if [ "${viruslocal_data}" != "" ]
then
echo -e "${viruslocal_data}" >>$usertmp
fi
fi
echo -e "${footer}" >>$usertmp
fi
# email user the report
[ -f $usertmp ] && cat $usertmp | mail -s "Daily 'Rejected by
SPAM Filter' Report for $u" $u@${primary_domain}
# add to admin's report
[ -f $usertmp ] && cat $usertmp >> $admintmp
fi
done
# email the admins a complete report
cat $admintmp | mail -s "Daily 'Total Rejected SPAM' Report"
$admin_email
___________________________________________________________________________
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
|
|