This Python script can be used for parsing exim mail logs to find messages that are over a certain filesize. In this case we were looking for senders of messages over 10MB (10000000 bytes). You can change that in the second to last line of the script.

example usage: cat /var/log/exim_mainlog | grep domain.com | msgsizefilter.py

Here it is:


#!/usr/bin/env python

import sys
for line in sys.stdin.readlines():
if line.find("S=") != -1:
s = int(line.split("S=")[1].split(" ")[0])
d = " ".join( line.split(" ")[0:2])
e = line.split(" <= ")[1].split(" ")[0]
if s > 10000000:
print “%s \t %d \t (%s)” % (d, s, e)


Realtime Black Lists (RBLs) are used by most mail servers these days in the always growing methods for controlling spam. RBLs are probably one of the oldest common methods of blocking spam, and remain in common practice because they give a lot of bang (over 50% incoming mail blocked) for the buck (free) and without too many false positives. I am updating some RBL configurations and just wanted to take a moment to review the RBLs we recommend and provide some info about them.

Spamcop
host: bl.spamcop.net
website: www.spamcop.net
how to check for a blacklisted host: http://spamcop.net/bl.shtml
about: Spamcop is one of the largest RBLs available for free use

NJABL
host: dnsbl.njabl.org
website: www.njabl.org
how to check for a blacklisted host: www.njabl.org/lookup.html
about: NJABL is another popular freely-available RBL, most listings are from clearly dynamic blocks of IP addresses and we have seen fewer false positives from NJABL than Spamcop.

Spamhaus
host: zen.spamhaus.org (combined)
website: www.spamhaus.org
how to check for a blacklisted host: www.spamhaus.org/zen/
about: Spamhaus is famous for its legal issues recently, they have been aggressively trying to prosecute spammers and deal with legal backlash from spammers as well. They maintain 3 main black lists:

• SBL: Direct UBE sources, spam services and ROKSO spammers
• XBL: Illegal 3rd party exploits, including proxies, worms and trojan exploits
• PBL: Non-MTA IP address ranges set by outbound mail policy.

The zen list combines all 3 into one big joy of blacklisting. Note that the Spamhaus blacklists are available free only for “low-traffic mail servers serving less than 100 users.”

Before implementing RBLs, make sure that you know how to whitelist around them and that your users understand that you are implementing these controls which do have the potential of blocking legitimate email. Many mail systems will allow you to implement RBLs on a per-destination-domain basis.