I'm interested in generating a daily report that displays the number of messages sent per user each day, which will help us identify accounts that may be compromised and spamming.
I thought a simple script that grepped and counted "from=<$username" from the mail logs would work but I've run into a hitch. When a user sends a message, the mta accepts it into the queue, but then requeues it and relays it through the content filter. Since it's queued twice, it shows up as two separate messages in the logs, and simply grepping and counting "from=<$username" returns a misleading value. (Note that spam with the sender address spoofed as someone in the domain will cause this as well).
I modified the script to handle this but it's much too slow. Does anyone have any suggestions on how to accomplish this? I thought I saw that there was a Zimbra command that actually generated these types of reports but I can't seem to find it now.