CWatch

Cwatch is a program that examines a logfile for interesting patterns and does various things with those patterns. It’s a clone of the the swatch program, except that it’s written in yacc, lex, and C (using the pcre library). I wrote it because the latest versions of swatch require many additional perl modules from CPAN and I wanted to do spam monitoring without having to be forced into upgrading to the most recent version of perl to do it.

I used cwatch for a year or so on pell to help me deal with spam. I modified sendmail so that it denies access from sites that were listed in the (dead and gone) ORDB, that don’t have a functional reverse DNS, or which came from sites that sent me too much spam and got bunged into my tcp wrappers deny list. Every time sendmail refused a connection, it would syslog it and then cwatch could pick it up and fire off a program to check and see if that connection was coming from a new open relay. It worked pretty well up until the point where the spammers started using viruses to take over machines that they could use as spam zombies.

Cwatch is not a perfect clone of swatch. There are a few differences an omissions resulting from the different implementation languages and things that aren’t documented in the swatch manpage:

Cwatch uses my auto-configuration tools for building on various platforms. To install cwatch, follow the instructions in the INSTALL file.

Source Code

Older versions of the code are still available.