#!/bin/sh
######################################################################
#
# sstat
#
#  mail source statistics
#  
#  Intended to provide mail stats on who is sending a lot of mail 
#  to bogus addresses - statistical significance will indicate a 
#  brute-force e-mail enumeration by a source
#  Rights to this work governed by the LGPL
#  http://www.gnu.org/copyleft/lesser.txt 
#
# Chuck G - chux0r.org
# 20 May 2003
#
######################################################################
VER="0.1.0"
HELP="sstat Version $VER alpha - http://chux0r.org"
#Linux
MAILLOG="/var/log/maillog"
#AIX
#MAILLOG=/var/adm/syslog/maillog
#TMP FILES
TMPDUMP="/tmp/dictchk.tmp"
TMPSTAT="/tmp/dictstats.tmp"
if [ -s ${TMPDUMP} ]; then
  cat /dev/null > ${TMPDUMP}
fi
if [ -s ${TMPSTAT} ]; then
  cat /dev/null > ${TMPSTAT}
fi  
DATE=`date +"%b %e"`
grep "User unknown" ${MAILLOG} |grep "$DATE"|cut -d: -f 4 |uniq > ${TMPDUMP}
#this next bit culls out the origin of the mail
for ID in `cat ${TMPDUMP}`; 
do  
  grep "$ID" ${MAILLOG} |\
  awk 'BEGIN { FS="," } /relay=/ { print $NF }'|\
  awk 'BEGIN { FS="[" }  { print $NF }' |\
  sed "s/].*//g" >> ${TMPSTAT}
#  tail -1 ${TMPSTAT}
done

sort ${TMPSTAT} > ${TMPSTAT}.1
less ${TMPSTAT}.1

#more ${TMPSTAT}
#Need to add more processing + stats foo here
rm ${TMPDUMP}
rm ${TMPSTAT}
rm ${TMPSTAT}.1