Better Living Through Thinking

Which RBL caught my spam?

Fri, 07 Sep 2007

I'm a big believer in statistics. If you don't know which spam-fighting techniques are most effective, you're probably wasting lots of effort in the wrong places.

One little one-liner I use to gauge effectiveness is this:

zcat /var/log/maillog.* | grep 'Access denied' | perl -lne '/Access denied\((.+?)\) for/ && $reason{$1}++;' \
-e 'END { print "$_ => $reason{$_}" for sort keys %reason }'

This goes through my maillogs for the past 7 days (I keep 7 days of archives) and prints out a little report:

2a => 28883
2b => 14384
 3 => 798

To get this kind of data, I have to mark up my log entries a little. My sendmail configuration looks like this:

FEATURE(dnsbl,`sbl-xbl.spamhaus.org', `"550 5.7.1 Access denied(2a) for " $&{client_addr} "."')
FEATURE(dnsbl,`zen.spamhaus.org', `"550 5.7.1 Access denied(2b) for " $&{client_addr} "."')
FEATURE(dnsbl,`list.dsbl.org',    `"550 5.7.1 Access denied(3) for " $&{client_addr} "."')

which gives me an index of which RBL was triggered in the log file:

Sep  7 00:00:39 deep2 sm-mta[60911]: ruleset=check_relay, arg1=[61.84.154.72], arg2=127.0.0.4, \
relay=[61.84.154.72], reject=550 5.7.1 Access denied(2a) for 61.84.154.72.