spamtowho.pl --> Bandwidth Savings

Unanswered Question
Nov 8th, 2007

Folks,

My spamtowho reports always show Bandwidth Savings as 0.00 MB. This is when analyzing a cluster or an individual appliance. We don't use LDAP. Is this the issue in the calculations?

Richard

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
karlyoun Sat, 11/10/2007 - 21:43

[quote="richard.doiron"]Folks,

My spamtowho reports always show Bandwidth Savings as 0.00 MB. This is when analyzing a cluster or an individual appliance. We don't use LDAP. Is this the issue in the calculations?

Richard

I don't see an answer to this, so I'll take a stab at it.

If you don't use LDAP or SBRS you will see 0.00MB savings.

Also, If you don't use Anti-Spam you will see 0.00 MB, because spamtohwo uses the average size of positive spam to estimate the average size of messages rejected.

If neither of these apply, can you post some spamtowho output?

-karl

richard.doiron_... Tue, 11/13/2007 - 18:24

Hi,

Thanks for the reply. We do use spam detection but do not use LDAP lookups. I see by the formula that this will result in a 0 result. Our setup is similiar to an ISP's setup where we have hundreds of client MTA's connecting and cannot force LDAP lookups.

This is a result of a spamtowho run on a lab setup...


------------ Statistics gathered and compiled: ------------
Notes
This program has retroactively set SBRS scores for messages and connections based upon IncomingRelay detection.
System & version -> number of log files
SN 0019B9C43053-3VLYYC1 version 5.5.1-008 19
Time Frame of log entries processed
begin Mon Nov 12 05:22:56 2007
end Tue Nov 13 00:19:11 2007
Utility info
Processing time 1 seconds for 9363 lines, 9363 lines per second.
Version 0.421
flags ./spamtowho.pl -d /var/log/ironport/roxanne -antivirus -antispam -per_rcpt -per_domain -bouncedetail -htmloutput test1.html -seat-count -interim -collate-from-to -all-sbrs
Anti-Spam
AS Total messages 341
AS Total recipients 341
AS-negative messages 267
AS-negative rcpts 267
AS-positive messages 36 10.56%
AS-positive rcpts 36 10.56%
AS-suspect messages 38
AS-suspect rcpts 38
Average message byte size 6,636
Average message byte size (negative) 6,675
Average message byte size (positive) 9,526
Average message byte size (suspect) 3,619
Size Range Pos Neg Susp
< 10KB 31 237 38
< 20KB 1 11 0
< 30KB 0 3 0
< 40KB 1 9 0
< 50KB 1 4 0
< 60KB 2 2 0
< 70KB 0 1 0
Anti-Spam - CASE
AS Total messages 341
AS Total recipients 341
AS-negative messages 267
AS-negative rcpts 267
AS-positive messages 36 10.56%
AS-positive rcpts 36 10.56%
AS-suspect messages 38
AS-suspect rcpts 38
Bytes scanned (Total) 2,262,918
Bytes scanned (negative) 1,782,406
Bytes scanned (positive) 342,954
Bytes scanned (suspect) 137,558
Messages which were too big for scanning by CASE (res will be negative) 1
Size Range Pos Neg Susp
< 10KB 31 237 38
< 20KB 1 11 0
< 30KB 0 3 0
< 40KB 1 9 0
< 50KB 1 4 0
< 60KB 2 2 0
< 70KB 0 1 0
Anti-Spam interim results
CASE negative 267
CASE positive 36
CASE suspect 38
Anti-Virus
AV Total messages 342
AV Total recipients 342
AV-negative messages 342
AV-negative rcpts 342
Average message byte size 9,063
Average message byte size (negative) 9,063
Size Range Pos Neg Unsc Rprd
< 10KB 0 306 0 0
< 20KB 0 12 0 0
< 30KB 0 3 0 0
< 40KB 0 10 0 0
< 50KB 0 5 0 0
< 60KB 0 4 0 0
< 70KB 0 1 0 0
< 1MB 0 1 0 0
Anti-Virus - Sophos
AV Total messages 342
AV Total recipients 342
AV-negative messages 342
AV-negative rcpts 342
Bytes scanned (Total) 3,099,782
Bytes scanned (negative) 3,099,782
Size Range Pos Neg Unsc Rprd
< 10KB 0 306 0 0
< 20KB 0 12 0 0
< 30KB 0 3 0 0
< 40KB 0 10 0 0
< 50KB 0 5 0 0
< 60KB 0 4 0 0
< 70KB 0 1 0 0
< 1MB 0 1 0 0
Anti-Virus interim results
Sophos negative 342
Bandwidth Savings 0.00 MB - ((Msgs refused by HAT) * (#Rcpts/connection) * (Avg spam+ size) + (Msgs rejected via LDAP) * (Avg spam+ size))
Bounces
Generated 210
double 1
Connections in
Total Initiated 326
Which injected messages 239
On interface Data 326
Connections out (delivery)
Total Initiated 286
Error: network error 19
On interface '192.168.10.50' 286
Costliness
Size From #rcpts Time
836864 grbounce-Ua50ngUAAACII4JzTBvc1ePWeJJ4iDOl=rdoiron=[email protected] 1 Mon Nov 12 14:17:48 2007
68150 grbounce-Ua50ngUAAACII4JzTBvc1ePWeJJ4iDOl=rdoiron=[email protected] 1 Mon Nov 12 13:25:56 2007
60611 grbounce-Ua50ngUAAACII4JzTBvc1ePWeJJ4iDOl=rdoiron=[email protected] 1 Mon Nov 12 15:14:54 2007
56463 grbounce-Ua50ngUAAACII4JzTBvc1ePWeJJ4iDOl=rdoiron=[email protected] 1 Mon Nov 12 16:00:42 2007
52361 grbounce-Ua50ngUAAACII4JzTBvc1ePWeJJ4iDOl=rdoiron=[email protected] 1 Mon Nov 12 05:28:26 2007
52201 grbounce-Ua50ngUAAACII4JzTBvc1ePWeJJ4iDOl=rdoiron=[email protected] 1 Mon Nov 12 10:25:47 2007
46498 grbounce-Ua50ngUAAACII4JzTBvc1ePWeJJ4iDOl=rdoiron=[email protected] 1 Mon Nov 12 12:45:22 2007
46176 grbounce-Ua50ngUAAACII4JzTBvc1ePWeJJ4iDOl=rdoiron=[email protected] 1 Mon Nov 12 11:21:16 2007
44959 grbounce-Ua50ngUAAACII4JzTBvc1ePWeJJ4iDOl=rdoiron=[email protected] 1 Mon Nov 12 11:47:09 2007
44577 grbounce-Ua50ngUAAACII4JzTBvc1ePWeJJ4iDOl=rdoiron=[email protected] 1 Mon Nov 12 07:34:12 2007
HAT Policies
None ACCEPT 326
~Total ACCEPT 326
HAT match types
ALL (default) - ACCEPT policy 326
IncomingRelay
success: LUIS_EDGE, header Received 342
Messages
Deliveries Begun Inbound 342
Deliveries Begun Outbound 419
Sent to IronPort Spam Quarantine 36
System-generated 1
Total received (external origin) 342
received (system/splintered/external origin) 468
received on 'Data' 342
sent 419
Per destination domain
Address Messages %ASpositive %ASsuspect #AVpos
dept2.srv.gc.ca 237 11 13 0
dept1.srv.gc.ca 105 8 4 0
Per destination rcpt
Address Messages %ASpositive %ASsuspect #AVpos
[email protected] 234 10 14 0
[email protected] 92 6 5 0
[email protected] 13 23 0 0
[email protected] 3 66 0 0
Policy matches
for all rcpts on DEFAULT in the inbound table 342
Recipients
Average # per connection (all) 1.04907975460123
Average # per connection (successful) 1.43096234309623
Average # per message 0.730769230769231
Sent to IronPort Spam Quarantine 36
received 342
sent 419
SBRS
Score Conns %Total Conns MsgBgn %Total Msgs ScdMsgs %AS Pos
-2.0 217 66.56 222 64.91 222 11.71
-1.2 1 0.31 1 0.29 1 0
-0.2 2 0.61 2 0.58 2 100.00
0.5 3 0.92 3 0.88 3 0
1.4 1 0.31 1 0.29 1 100.00
2.2 2 0.61 2 0.58 2 0
3.4 2 0.61 2 0.58 2 0
3.6 11 3.37 19 5.56 19 0
3.9 11 3.37 12 3.51 12 16.67
4.2 1 0.31 1 0.29 1 0
4.4 18 5.52 19 5.56 19 5.26
4.5 1 0.31 1 0.29 1 0
4.6 11 3.37 12 3.51 12 16.67
4.7 2 0.61 2 0.58 2 100.00
5.2 30 9.20 30 8.77 29 0
5.3 1 0.31 1 0.29 1 0
5.5 2 0.61 2 0.58 2 0
5.6 1 0.31 1 0.29 1 0
5.8 8 2.45 8 2.34 8 0
5.9 1 0.31 1 0.29 1 0
Seats in use
Anti-Spam 4
Anti-Spam - CASE 4
Anti-Virus 4
Anti-Virus - Sophos 4
Sizes
Size Range MB Total messages AvgKBytes %bytes %messages
0B - 5KB 1.12 358 3.20 37.93 76.50
5KB - 10KB 0.46 72 6.63 15.79 15.38
10KB - 15KB 0.08 7 12.51 2.89 1.50
15KB - 20KB 0.11 7 16.93 3.92 1.50
20KB - 32KB 0.09 4 25.04 3.31 0.85
32KB - 64KB 0.74 18 42.34 25.18 3.85
64KB - 96KB 0.06 1 66.55 2.20 0.21
512KB - 1024KB 0.79 1 817.25 27.00 0.21
Average message size 6623
Total MB received 2.95
Total MB sent 2.73
VOF
Messages which were too big for scanning (res will be negative) 1
----------- end of auto-stats -----------

karlyoun Tue, 11/13/2007 - 19:12

Richard

Here's the second piece of this:

------------ Statistics gathered and compiled: ------------
Notes
This program has retroactively set SBRS scores for messages and connections based upon IncomingRelay detection.


If you have a relay in front of the IronPort it can't drop connections during conversation. Every mail needs to be fully accepted.

Since you aren't using LDAP, and the IncomingRelay prevents your appliance from dropping connections in conversation, the 0 MB bandwidth saved is accurate.

-karl
richard.doiron_... Wed, 11/14/2007 - 14:30

Yes, that is the problem. I removed the incoming relay, another IronPort, and I now have bandwith savings calculations greater that zero.

I much appreciate the help and pointer.

Cheers,
Richard

Actions

This Discussion