Commit 6b70ae1e authored by ale's avatar ale
Browse files

Add a metric for ratelimited authenticated email senders

parent 90e8ff7b
# Create a metric for rate-limited senders, that includes the sender itself.
# This should remain a low cardinality metric on short time scales.
# The purpose is to catch compromised accounts that hit the ratelimit repeatedly.
def syslog {
/^(?P<date>(?P<legacy_date>\w+\s+\d+\s+\d+:\d+:\d+)|(?P<rfc3339_date>\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}.\d+[-+]\d{2}:\d{2}))/ + /\s+(?:\w+@)?(?P<hostname>[-\w\.]+)\s+/ {
len($legacy_date) > 0 {
strptime($2, "Jan _2 15:04:05")
}
len($rfc3339_date) > 0 {
strptime($rfc3339_date, "2006-01-02T15:04:05.000000-07:00")
}
next
}
}
counter postfix_ratelimited_users_total by postfix_instance, sender
@syslog {
/(?P<postfix_instance>postfix[-a-z]*)\// {
/smtpd\[/ {
# NOQUEUE: reject: RCPT from unknown[0.0.0.0]: 450 4.7.1 <hhfhfhgfh@dfgdg.com>: Recipient address rejected: Rate limit reach, retry later; from=<navarro@inventati.org> to=<hhfhfhgfh@dfgdg.com> proto=ESMTP helo=<[0.0.0.0]>
/NOQUEUE: reject: .*: Recipient address rejected: Rate limit reach.*; from=<(?P<sender>[^>]+)>/ {
postfix_ratelimited_users_total[$postfix_instance][$sender]++
}
}
}
}
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment