Monitor and notify of email floods?

[catch22media]

Anyone know of a script/app that monitors incoming mail and can notify when a flood is detected? Would be similar to BFD for APF.

I have one customer in particular who receives 300+ spam per day that is not getting picked up by spamassassin for some bloody reason. I've got dcc/pyzor/razor, as current rules as possible, and its well trained. Also using spamhaus/spamcob DNSBL and greylisting ... so who knows.

The emails they receive seem to come in chunks from the same domain, then it switches to another domain, so I'd like to setup something to monitor incoming mail at the server level and notify me when X amount of emails come in from the same domain, within a X amount of time ...

I could do it by forwarding emails to a PHP script, but that would be very CPU intensive... even more so I beleive.

Anyhow - any suggestions would be great.

Luke

[scott]

policyd in postfix might do what you want there. It would allow you to put quotas on sending mail by the user, or the domain.

[prupert]

We use monitoring scripts that periodically perform some simple greps with line counts in the mail logs. In our integrated monitoring setup (using Zenoss) we have set up RRD graphs, thresholds and notifications.