From e47c58dc1a83099ce710e702ee75f6d6b2850169 Mon Sep 17 00:00:00 2001
From: cschantz <admin@server.local>
Date: Fri, 6 Feb 2026 16:35:27 -0500
Subject: [PATCH] Enhance mail-log-analyzer.sh with sophisticated blacklist
 detection

- Replace basic blacklist patterns with comprehensive detection engine
- Use same detection patterns as email-diagnostics.sh (26+ providers)
- Improved provider recognition: Spamhaus, SpamCop, Barracuda, Gmail, Microsoft, Yahoo, SORBS, CBL
- Add severity-based recommendations:
  - CRITICAL: >100 rejections (immediate action needed)
  - WARNING: 10-100 rejections (review and analyze)
  - INFO: <10 rejections (monitor and track)
- Better guidance with cross-references to blacklist-check tool
- Extract and track specific provider names, not just generic RBLs

Detection coverage expanded from basic patterns to:
- Error codes: S3150, S3140, AS(48xx), CS01
- Gmail reputation patterns
- Microsoft/Outlook specific patterns
- All major email provider block messages
- Traditional RBL queries and responses

Recommendations now include:
- Tool suggestions (blacklist-check, email-diagnostics)
- Severity assessment based on rejection count
- Actionable next steps for resolution

mail-log-analyzer now provides deeper analysis of blacklist
issues identified in mail logs, helping administrators quickly
identify systemic listing problems vs. one-time incidents.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
---
 modules/email/mail-log-analyzer.sh | 52 ++++++++++++++++++++++++++----
 1 file changed, 45 insertions(+), 7 deletions(-)

diff --git a/modules/email/mail-log-analyzer.sh b/modules/email/mail-log-analyzer.sh
index 2d39a00..1fb5448 100755
--- a/modules/email/mail-log-analyzer.sh
+++ b/modules/email/mail-log-analyzer.sh
@@ -69,8 +69,9 @@ detect_blacklist_issues() {
 
     print_info "Scanning for blacklist rejections..."
 
-    # Common blacklist patterns in mail logs
-    grep -E "(blocked using|listed in|blacklisted|DNSBL|RBL)" "$log_file" 2>/dev/null > "$temp_file"
+    # Enhanced blacklist detection patterns (from email-diagnostics.sh)
+    # Includes explicit RBL keywords, provider-specific patterns, and error codes
+    grep -iE "blacklist|block list|RBL|DNSBL|listed in|blocked using|on our block list|S3150|S3140|AS\(48|CS01|local policy|gmail.*(suspicious|reputation|spam|detected).*reputation|gmail.*detected.*suspicious|spamhaus|barracuda|spamcop|sorbs|abuseat|yahoo.*block|yahoo.*reject|aol.*block|aol.*reject|me\.com.*reject|icloud.*reject|mac\.com.*reject|protonmail.*block|protonmail.*reject|pm\.me.*reject|zoho.*block|zoho.*reject|fastmail.*block|fastmail.*reject|outlook.*block|hotmail.*block|live\.com.*block|msn\.com.*block" "$log_file" 2>/dev/null > "$temp_file"
 
     if [ -s "$temp_file" ]; then
         local count=$(wc -l < "$temp_file")
@@ -78,10 +79,40 @@ detect_blacklist_issues() {
 
         # Extract specific blacklists mentioned
         while IFS= read -r line; do
-            # Extract blacklist names
-            if [[ "$line" =~ (zen\.spamhaus\.org|bl\.spamcop\.net|dnsbl\.sorbs\.net|b\.barracudacentral\.org|uce) ]]; then
-                local bl_name="${BASH_REMATCH[1]}"
-                BLACKLISTED_IPS["$bl_name"]=$((${BLACKLISTED_IPS["$bl_name"]:-0} + 1))
+            # Extract recognized blacklist/provider names
+            local detected=0
+
+            if [[ "$line" =~ [Ss]pam[Hh]aus ]]; then
+                BLACKLISTED_IPS["Spamhaus"]=$((${BLACKLISTED_IPS["Spamhaus"]:-0} + 1))
+                detected=1
+            fi
+            if [[ "$line" =~ [Ss]pam[Cc]op ]]; then
+                BLACKLISTED_IPS["SpamCop"]=$((${BLACKLISTED_IPS["SpamCop"]:-0} + 1))
+                detected=1
+            fi
+            if [[ "$line" =~ [Bb]arracuda ]]; then
+                BLACKLISTED_IPS["Barracuda"]=$((${BLACKLISTED_IPS["Barracuda"]:-0} + 1))
+                detected=1
+            fi
+            if [[ "$line" =~ [Gg]mail ]]; then
+                BLACKLISTED_IPS["Gmail"]=$((${BLACKLISTED_IPS["Gmail"]:-0} + 1))
+                detected=1
+            fi
+            if [[ "$line" =~ [Mm]icrosoft|[Oo]utlook|[Hh]otmail|[Ll]ive ]]; then
+                BLACKLISTED_IPS["Microsoft"]=$((${BLACKLISTED_IPS["Microsoft"]:-0} + 1))
+                detected=1
+            fi
+            if [[ "$line" =~ [Yy]ahoo|[Aa]ol ]]; then
+                BLACKLISTED_IPS["Yahoo/AOL"]=$((${BLACKLISTED_IPS["Yahoo/AOL"]:-0} + 1))
+                detected=1
+            fi
+            if [[ "$line" =~ [Ss]orbs ]]; then
+                BLACKLISTED_IPS["SORBS"]=$((${BLACKLISTED_IPS["SORBS"]:-0} + 1))
+                detected=1
+            fi
+            if [[ "$line" =~ [Aa]buseat|[Cc]bl ]]; then
+                BLACKLISTED_IPS["CBL"]=$((${BLACKLISTED_IPS["CBL"]:-0} + 1))
+                detected=1
             fi
 
             # Extract IPs being rejected
@@ -91,7 +122,14 @@ detect_blacklist_issues() {
             fi
         done < "$temp_file"
 
-        RECOMMENDATIONS["blacklist"]="Check server IP reputation using blacklist checker tool. Found $count blacklist-related rejections."
+        # Build recommendations based on count
+        if [ "$count" -gt 100 ]; then
+            RECOMMENDATIONS["blacklist"]="CRITICAL: $count blacklist-related rejections found. Check server IP reputation immediately using 'blacklist-check' tool."
+        elif [ "$count" -gt 10 ]; then
+            RECOMMENDATIONS["blacklist"]="WARNING: $count blacklist-related rejections. Review using 'email-diagnostics' for detailed analysis."
+        else
+            RECOMMENDATIONS["blacklist"]="Found $count blacklist-related rejection(s). Use 'blacklist-check' to verify current listing status."
+        fi
     fi
 
     rm -f "$temp_file"