#!/usr/local/bin/perl

# Grab all Amavis mail that got a pass
# and find out what rules were triggered.
# Jason Consorti
# 09 December 2003
# usage: spamrule.pl /var/log/syslog
#

$syslog = $ARGV[0];

# Open in file, die on error
unless (open (FILEA, "$syslog")) {
    print STDERR "$0: Trouble with \"$server\"\n";
    die "Died";       # abort
}

while (<FILEA>) {
        $entry=$_;
        chop $entry;            # get rid of newlines, THIS IS VITAL
        if ($entry =~ m/spam_scan/i) {
        	@entry_array= split (/\s+/, $entry);
		# You will have to change the array element 
		# to examine for "hits=".
		# On my solaris box, it is element 10.
		# Just look at a "spam_scan" line in your
		# syslog and count space separated elements starting from 0.
		@hits = split (/=/, $entry_array[10]);
		if ($hits[1] < 6.3) {
			# Element 11 is the long list of
			# triggered Spam Assassin rules
			@ts = split (/=/, $entry_array[11]);
			@tests = split (/\,/, $ts[1]);
			foreach $foo (@tests) {
				$testhash{$foo}++;
			}
		}
        }
}
# Close file
unless (close (FILEA)) {
    print STDERR "$0: Can't close file \"$filea\"\n";
    die "Died";       # abort
}
foreach $key ( sort keys (%testhash) ) {
	print STDOUT "$key = $testhash{$key}\n";
}