Mail log analysis

[David Jones <dj...@ena.com>]

Does anyone know of a log analysis script that will give summaries of rule hits and average the SA score by sending domain?

I am using MailScanner with MailWatch which puts the SA report into a MySQL database along with headers and other email details.  This allows me to run some SQL queries every Saturday night to find potential candidates for whitelist_auth entries based on the past week.

If a sending domain hits SPF_PASS and DKIM_VALID_AU plus a few other reputation-based rules and had an average score below a certain number with more than a minimum number of emails seen, then they are a whitelist_auth candidate.

I am asking this question for those who doing have their SA reports in a database.  Seems like this would be helpful to determine patterns of both consistently safe and bad senders.

This would be similar to pflogsumm.pl and dnsblcount.pl but specific to SA.

Dave