Spammer IP counter

This parses /var/log/maillog and takes log entries made by MailScanner that indicate an email is spam and grabs the IP address and counts how many times a specific email has tried to deliver spam to our MTA. This is useful for blacklisting purposes.

The output looks like this:

# cat /var/log/maillog*|./parse.pl
1) IP: 12.130.136.153 Count: 7
2) IP: 209.164.135.146 Count: 18
3) IP: 64.73.138.121 Count: 6
4) IP: 193.109.255.100 Count: 3
5) IP: 64.235.47.203 Count: 6
6) IP: 64.235.47.200 Count: 7

So, 209.164.135.146 would be worth blacklisting.

#!/usr/bin/perl

while() {
        # Jan 25 19:57:41 mail MailScanner[22590]: Message l0Q1p7vl022686 from 
        # 200.94.142.9 (mibhanoi@bih.net.ba) to ourdomain.com is spam, 
        # SORBS-DNSBL, CBL, SBL+XBL, SORBS-SPAM, RFC-IGNORANT-POSTMASTER,
        # RFC-IGNORANT-ABUSE, RFC-IGNORANT-WHOIS

        if(/^.*?from\s+(.*?)\s+.*?is\s+spam.*/) {
                $h{$1}++;
        }
}
close(D);
$i = 1;
foreach $line (keys %h) {
        if($h{$line} > 2) {
                print "$i) IP: $line Count: $h{$line}\n";
                $i++;
        }
}