[SOLVED] Detailed Spam Reports?

[kazooless]

Is there any way to get a report of the percentages of scores for the spam that comes in?

For example, in the Exchange Server I moved from, Microsoft recommends running Performance Monitor before blocking spam using their proprietary SPF scores. I believe they score from 0 - 9, so it will tell you what percent of spam scores 1, what scores 2, 3, and on.

I'd like to see the same thing if possible here, so that I can bring down my Zimbra restriction to reject the most amount of spam without getting too close to increasing false positives.

Thanks,

Kazoo

[uxbod]

Code:

==================================================================================
Spam Score Percentiles        0%       50%       90%       95%       98%      100%
----------------------------------------------------------------------------------
Score Spam (11)           13.058    28.101    30.834    32.029    32.745    33.223
Score Ham (72)            -8.749    -2.495    -0.719     0.389     1.588     6.003
==================================================================================

======================================================================================================
Spam Score Frequency      <= -10     <= -5      <= 0      <= 5     <= 10     <= 20     <= 30      > 30
------------------------------------------------------------------------------------------------------
Hits (83)                      0         1        66         5         3         4         3         1
Percent of Hits            0.00%     1.20%    79.52%     6.02%     3.61%     4.82%     3.61%     1.20%
======================================================================================================

If this is the sort of thing you are after then you can try Amavis :: Logwatch. You will need to increase the log_level=2 in /opt/zimbra/conf/amavisd.conf.in and then restart ZCS to get all the scores reported.

[kazooless]

YES! Thanks.

[blazeking]

I just setup the Amavis Logwatch program mentioned above... It would be great if I could get a history going (like past 30 or 365 days). As it is, I run the program against /var/log/zimbra.log, which resets daily. Any ideas of how to get results for more than one day?

[kazooless]

I was just introduced to logwatch, but there is an option in the logwatch.conf file that lets you turn on archives and set the range. Take a look at that.

Quote:

/usr/share/logwatch/default.conf

Maybe this will enable what you're looking for.

kazoo

[uxbod]

Also, the old logs are kept so you could concatenate them all together and run it against the new file ?

[blazeking]

Quote:

Originally Posted by uxbod

Also, the old logs are kept so you could concatenate them all together and run it against the new file ?

That's what I ended up doing for the 5 log files I have rotating on my server. Only gives me 5 days, but that's enough for now. Thanks!

[kazooless]

I know it is marked "Solved" so tell me if I should start a new thread.

However, this is specifically related. I've done the suggested above and have logwatch working including the postfix configs linked above. But the amavis scripts don't seem to be working, and "yes" I did set the log_level to 2 and restarted.

I have a feeling that it is trying to read from a log file that doesn't exist with Zimbra. I can see the spam traffic in the zimbra.log, but I am guessing/wondering if it is a different log that the amavis-logwatch script is trying to read. Thoughts??

Thanks,
kazoo

[kazooless]

Well, it's working now. I did a lot of looking into this yesterday after posting the last message. What I did (and I'm not sure which one fixed it) is I copied the /etc/logwatch/conf/services/amavis.conf to /usr/share/logwatch/default.conf/services (overwriting the existing one).

I also made edits to the /usr/share/logwatch/default.conf/logfiles/maillog.conf and /usr/share/logwatch/dist.conf/logfiles/maillog.conf (I didn't know for sure which one was active, so I took the shotgun approach).

This is what they look like now:

Quote:

################################################## ########################
# $Id: maillog.conf,v 1.13 2006/03/21 01:47:28 bjorn Exp $
################################################## ########################

################################################## ######
# This was written and is maintained by:
# Kenneth Porter <shiva@well.com>
#
# Please send all comments, suggestions, bug reports,
# etc, to shiva@well.com.
################################################## ######

# What actual file? Defaults to LogPath if not absolute path....
LogFile = maillog
LogFile = syslog
LogFile = mail.log
LogFile = mail.log.0
LogFile = zimbra.log
LogFile = zimbra.log.0

# If the archives are searched, here is one or more line
# (optionally containing wildcards) that tell where they are...
#If you use a "-" in naming add that as well -mgt
Archive = maillog.*
Archive = syslog.*
Archive = archiv/maillog.*
Archive = mail.log.*.gz
Archive = zimbra.log.*.gz

# Expand the repeats (actually just removes them now)
*ExpandRepeats

# Keep only the lines in the proper date range...
*OnlyHost
*ApplyStdDate

# vi: shiftwidth=3 tabstop=3 et

Notice that I basically just added the zimbra log files here. Of course I set the amavis log_level as suggested earlier to '2.'

Hopefully this will help all others with this. I'm sure I took the long way around, but at least it works for me now.

[blazeking]

Looking over the summary report from amavis-logwatch, I know that it's not counting the "rejected" messages like this one:

Apr 6 11:36:00 zmail2 postfix/smtpd[27357]: NOQUEUE: reject: RCPT from unknown[78.177.100.26]: 550 5.1.1 <user@domain.com>: Recipient address rejected

Is that a part of the command or logging that I'm missing?