Skip to content

Add insight that detects RBL blocks from the log files

Leandro Santiago requested to merge feature/53_detect_blocking_based_on_log_messages into master

References #53 (closed)

The insight type has been named "messagerbl", meaning that the RBL detection is done vie the log messages instead of any external mechanism.

It also introduces a helper script tools/mock_logs.sh that can be used for manually feed the application with logs.

A new insight is generated for a given host (Microsoft, Yahoo, etc.), and it won't be generated again in the following 3.5 days (half a week), to prevent spamming the sysadmin.

Test Plan

  • Build a release version (make release).
  • Configure the IP address in the settings.
  • Run controlcenter by redirecting stdin from the helper script, as follows:
$ ./tools/mock_logs.sh | ./lightmeter -workspace ws -stdin

When running the application, paste partial log lines to the terminal, pressing enter to insert them.

As the log date and time are important, you should remove such parts of the logs, pasting only what comes after the time part of the line.

For instance, for the log line

Jan 28 22:05:12 mail postfix/smtp[19476]: D47612C4ACBB: to=<user@example.com>, relay=eu-smtp-inbound-2.mimecast.com[11.22.33.44]:25, delay=0.4, delays=0.01/0.02/0.25/0.12, dsn=5.0.0, status=bounced (host eu-smtp-inbound-2.mimecast.com[11.22.33.44] said: 550 csi.mimecast.org Poor Reputation Sender. - https://community.mimecast.com/docs/DOC-1369#550 [Dni_-R0IN1elEpzMLduRiw.uk175] (in reply to RCPT TO command))

You should paste only:

mail postfix/smtp[19476]: D47612C4ACBB: to=<user@example.com>, relay=eu-smtp-inbound-2.mimecast.com[11.22.33.44]:25, delay=0.4, delays=0.01/0.02/0.25/0.12, dsn=5.0.0, status=bounced (host eu-smtp-inbound-2.mimecast.com[11.22.33.44] said: 550 csi.mimecast.org Poor Reputation Sender. - https://community.mimecast.com/docs/DOC-1369#550 [Dni_-R0IN1elEpzMLduRiw.uk175] (in reply to RCPT TO command))

Expectation

When you do it, the number of "bounced" messages int the dashboard should increase and there should be a new insight informing the IP has been blocked by "example.com (Mimecast)".

More patterns can be found in the file messagerbl/default.go.

Edited by Leandro Santiago

Merge request reports