Hello,
I was running a self-coded statistic tool over my SPAM storage (7 GByte)
the last 3 weeks and it is realy interesting from whom I get it...
Since database access over the Etherne is to slow, I create a file per
"spam" or "backscatter" server and put only the UNIX timestamp into it.
I have gotten over 40000 UNIQUE (!!!) backscatters which are NOT counted
in my statistics but here are others, sending me per month several 100
of it.
Now I like to catch those zombies...
I want to create a recipe, which allert me, if a "spam" or "backscatter"
send me more then a certain number of spams per period so I am thinking
on something like
----8<-----------------------------------
:0
* ? line_counter --period=7d --alert=10
{
DUMMY_EXEC=`notifier`
:0
.ATTENTION.FLT_backscatter/
}
----8<-----------------------------------
so my problem is the "line_counter" which I like to implement in
procmail and it must:
1) get the DOMAIN_PART of the sender
2) lock into ~/.tdtools-procmail/backscatter/${DOMAIN_PART}.hits
3) check each line, whether the UNIX timestamp is over the trashold
"--period=7d"
4) if they are more then "--alert=10" lines
5) return true
BUT, what I like to get additionaly are
1) total hits
2) date of first hit
3) number of hits in the period
OK, if I use bash command I can do something like:
----8<------------------------------------------------------------------
DATE_NOW_ISO=`date "+%Y-%m-%d %H:%M:%S %z"`
DATE_NOW_SER=`date --date="${DATE_NOW_ISO}" +%s`
DATE_PER_SER=`echo "${DATE_NOW_SER}-(60*60*24*7)" |bc`
DOMAIN_PART=`formail -I Reply-To: -I Return-Path: -t -r -czx To: |sed -e
's|.*@||' -e 's|>.*||'`
FILE=${TDTP_DIR}/backscatter/${DOMAIN_PART}.hits
DUMMY_EXEC=`echo "${DATE_NOW_SER} ${DATE_NOW_ISO}" >>${FILE}`
HITS_TOTAL=`wc -l <${FILE}`
HITS_PERIOD=`for LINE in $(cut -d ' ' -f1 <${FILE}) ; do if [ ${LINE} -le
${DATE_NOW_PER} ] ; then COUNT=$((COUNT+1)) ; fi ; done ; echo ${COUNT}`
HIT_FIRST=`sort -u <${FILE} |head -n1`
:0
* ? test ${PERIOD_HITS} -ge 10
{
...
:0
.ATTENTION.${YYYY_WW}.FLT_backscatter/
}
----8<------------------------------------------------------------------
Is there a way to get the result faster in procmail?
Note: Today I have had an accident by running ls on the
"${TDTP_DIR}/backscatter/" directory...
where I have over 340.000 domains already listet.
Thanks, Greetings and nice Day/Evening
Michelle Konzack
Systemadministrator
24V Electronic Engineer
Tamay Dogan Network
Debian GNU/Linux Consultant
--
Linux-User #280138 with the Linux Counter, http://counter.li.org/
##################### Debian GNU/Linux Consultant #####################
Michelle Konzack Apt. 917 ICQ #328449886
+49/177/9351947 50, rue de Soultz MSN LinuxMichi
+33/6/61925193 67100 Strasbourg/France IRC #Debian (irc.icq.com)
____________________________________________________________
procmail mailing list Procmail homepage: http://www.procmail.org/
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail