From 14d586901988ed3dacb34a8fb787580fded61178 Mon Sep 17 00:00:00 2001
From: Stuart Gathman <stuart@gathman.org>
Date: Wed, 28 Dec 2005 22:24:34 +0000
Subject: [PATCH] parse milter.log from bms.py into a sequence of connections

---
 report.py | 57 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 57 insertions(+)
 create mode 100644 report.py

diff --git a/report.py b/report.py
new file mode 100644
index 0000000..4a59242
--- /dev/null
+++ b/report.py
@@ -0,0 +1,57 @@
+# Analyze milter log to find abusers
+
+class Connection(object);
+  def __init__(self,dt,tm,id,ip)
+    self.dt = dt
+    self.tm = tm
+    self.id = id
+    _,self.host,self.ip = ip.split(None,2)
+
+def connections(fp):
+  conndict = {}
+  for line in fp:
+    a = line.split(None,4)
+    if len(a) < 4: continue
+    dt,tm,id,op = a[:4]
+    if id,op == 'bms','milter':
+      # FIXME: optionally yield all partial connections
+      conndict = {}
+    key = id
+    if op == 'connect':
+      ip = a[4].rstrip()
+      conn = Connection(dt,tm,id,ip)
+      conndict[key] = conn
+    else:
+      conn = conndict[key]
+      if op == 'Subject:':
+        if len(a) > 4: conn.subject = a[4].rstrip()
+      elif op == 'mail':
+        _,conn.mfrom = a[4].split(None,2)
+      elif op == 'rcpt':
+        _,conn.rcpt = a[4].split(None,2)
+      elif op in ('eom','dspam','abort'):
+        del conndict[key]
+	conn.enddt = dt
+	conn.endtm = tm
+	conn.result = op
+	yield conn
+      elif op in ('REJECT:','DSPAM:','SPAM:'):
+	conn.enddt = dt
+	conn.endtm = tm
+        conn.result = op
+	conn.resmsg = a[4].rstrip()
+	yield conn
+      else:
+	print line.rstrip()
+
+
+if __name__ == '__main__':
+  import gzip
+  import sys
+  for fn in sys.argv[:1]:
+    if fn.endswith('.gz'):
+      fp = gzip.open(fn)
+    else:
+      fp = open(fn)
+    for conn in connections(fp):
+      print conn.dt,conn.tm,conn.id,conn.subject,conn.mfrom,conn.rcpt