Current version 3.1.4

22 June 2017


Latest Stable Release

If you have rogue entries in your data file then you can use Vispan-edit to deal with them.

Beta Release
Please note that this release is a BETA release and may not work correctly. It is intended for people who want the latest features and are prepared to provide the author with feedback.
Please Note: This version requires the use of the GD graph library.


To install, download the zipped tar file. Unpack it – this will create a directory called Vispan-x.x (where x are the version numbers). Go into the directory and type:
perl Makefile.PL
make install

This will install the necessary files into your system.

If necessary it will amend your crontab to add an entry to call the script.

Please note that the config file will be installed into /etc. If it already exists then it will be upgraded and a backup copy made of the original file. You should check that the upgraded file contains the correct settings.

UPGRADING – the latest version should read the stats in from your existing file, however, this code has not been extensively tested and no guarantees are made about the accuracy of the resulting statistics.



For an example of the output see


Vispan is a PERL script which analyses the mail log file to produce useful statistics. It requires MailScanner to provide the necessary log file entries. The virus list is dependent on the virus scanner you have installed.

In order to detect the spam correctly it is strongly recommended to use SpamAssassin with MailScanner

The script can also use heuristics in the senders of the spam emails and can then automatically add them to the sendmail access file which will cause further mails to be rejected. After a definable period of time they will be removed from the access file and once again allowed to send mail to you.

The heuristics provide an escalation mechanism so that when an IP address is removed from the block then a grace period is started. If that IP sends any spam during that period it will escalate and block the IP for twice the previous block time. For example using the default settings:
Level 1 = 5 days
Level 2 = 10 days
Level 3 = 20 days
Level 4 = 40 days

I believe that this is superior to the RBLs that are maintained since you have control over them and it is specific to the behaviour of your particular mail server


Vispan is usually called via the cron mechanism – an entry is created at install time to do this. Note that the time interval set by the cron job should not be changed since Vispan uses this to perform some calculations. Changing the run interval in the cron job will cause some very weird results.

There are command line options as follows:

Print out a help message and quit
Use the alternate config file specified
Remove the IP address specified from the access database and the Vispan data file.

Config file

The Vispan.conf file contains configuration information which you should change to suite your requirements as follows:

Set to 1 to use the access file in sendmail set to 0 to avoid it
Set to 1 to use the iptables facility to block the sender at the firewall level. Note setting this to 1 will effectively set UseAccess to 0 as the packet will never get as far as the MTA so there is no point blocking at the MTA level
Set to 1 to use the heuristics system. Set to 0 to just produce a list of IP addresses that have sent spam – this might get pretty large!
The amount of time that the sender should stay in the access block list. Specified in minutes
The location of the iptables command
The location of the iptables config file. This MUST be set to the system location of your config file so that the IP blocks get reloaded on a system restart
Path to the access file – only used if UseAccess is set to 1
The location of the makemap command – needed to rebuild the access file for sendmail
Location of the whereis command – used to determine the version numbers. Usually /usr/bin/whereis for Linux systems and /usr/ucb/whereis for Solaris.
The paths that the whereis command will search to find the virus scanners and mail scanner
The location of your mail log file
A space separated list of the full paths of any extra mail queue dirs.
An array containing the IP addresses of servers that should not be added to the access file.i Can be specified as individual addresses, a range or in CIDR format. Entries should be separated by a space.
Can also be the full pathname to a file – must be started with @ 
The location of the temporary file that is created
The directory that you want to use to keep the working files in.
The directory to hold the output HTML code
The location of a header file that can be used to provide HTML to be added before the generated HTML. The contents are added immediately after the body tag and before any HTML generated by Vispan.
Similar to the header but added after the generated HTML and immediately before the horizontal line at the bottom of the page. Setting this to an empty file will prevent the W3C logo appearing.
The name of a file to include as a logo.
If you use a style sheet you can specify it here – it should be relative. A sample style sheet is provided in the distribution.
The string that is logged to the log file for sendmail. Most installs use sendmail but FreeBSD appears to use sm-mta
Set to 1 to use the geographic functions to determine the location of the spam/virus based on the IP address. This requires the use of the GeoIP library and should only be enabled if you have already loaded it.
The value of the high spam score as defined in the MailScanner config file
The title to appear on the page
The virus scanning software you are using. Currently can be one of sophos, sophossavi, mcafee, command, bitdefender, etrust, inoculan, f-secure, f-prot, rav, antivir, clamav, clamavmodule, trend or mailscanner.
Whether to include the IP address in the reject text. set to 1 to include.
The text placed after the IP address in the access file. This is sent to the sending MTA when mail is rejected. This is used when an IP address is added due to excessive Spam mail being received.
The text placed after the IP address in the access file. This is sent to the sending MTA when mail is rejected. This is used when an IP address is added due to excessive viruses being received.
Whether to look for sending servers that don’t conform to the SMTP protocol. Set to 1 to enable.
The text placed after the IP address in the access file. This is sent to the sending MTA when mail is rejected. This is used when an IP address is added due to excessive requests being made which don’t conform to the SMTP protocol.
A number to indicate that the program should only display the top n in the country list and the SpamAssassin trap report.
Mins, Hours, Days, Months, Years
These specify the number of sets of data to keep for each of the intervals. These are used in the detailed statistics output.
Set to 1 to make the graphs grow from the left instead of the right. That is, new values will appear on the left.
A list of servers to look for in the log file. Leave blank for all servers.
When set to 1 will send an email when an IP address is added to the access file
The address to send the email to.
The address that the email comes from
The subject line of the email.
The SMTP server to use to send the email.
The maximum number of spams allowed from a particular source in a 24 hour period before it gets added to the access file.
The maximum number of viruses from a given IP address in a 24 hour period before it gets added to the access file.