Bug#274497: [Logcheck-devel] Bug#274497: Add blocked messages to violations.ignore.d/logcheck-postfix

maks attems debian at sternwelten.at
Sat Oct 2 12:13:41 UTC 2004 

tags moreinfo
thanks

On Sat, 02 Oct 2004, Patrik Wallstrom wrote:

> In the lines of this:
> 
> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: NOQUEUE:
> reject: RCPT from [^[:space:]]+: [0-9]{3} <[^[:space:]]+>: Blocked -
> see <[^[:space:]]+>; from=<[^[:space:]]*> to=<[^[:space:]]+>
> proto=(ESMTP|SMTP) helo=<[^[:space:]]+>$
> 
> When using RBL:s in Postfix, this is a common error message.
> 
> Example:
> 
> Oct  2 09:06:29 vic20 postfix/smtpd[7194]: NOQUEUE: reject: RCPT from
> unknown[203.236.46.238]: 554 Service unavailable; Client host
> [203.236.46.238]
> blocked using cbl.abuseat.org; Blocked - see
> http://cbl.abuseat.org/lookup.cgi?ip=203.236.46.238;
> from=<Terrell at incamail.com>to=<marlene at blipp.com> proto=SMTP
> helo=<217.75.101.38>
> 
> I don't know if my regex is 100% correct though.

well not so bad for a huge logline, but
* hostnames are matched with [._[:alnum:]-]+
* ipv4 with [0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}
* emails are remote supplied strings so use  '.*'

and aboves regex can't match do other small errors.
i've crafted belows out of your message,
i'm quite shure that it is far too generic,
as it will only math the "Service unavailable loglines
i was surprised that the string
"from=<Terrell at incamail.com>to=<marlene at blipp.com>"
but i didn't have more loglines to match with.

please test this rule by copying attached file in dir
/etc/logcheck/violations.ignore.d
and report the messages you are still getting when using rbl's

other tested rules are of course warmly welcomed. :)


--
maks

-------------- next part --------------
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: NOQUEUE: reject: RCPT from [._[:alnum:]-]+\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\]: [0-9]{3} Service unavailable; Client host +\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\] blocked using [._[:alnum:]-]+; Blocked - see [^[:space:]]+; from=<.*>to=<.*> proto=(ESMTP|SMTP) helo=<[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}>$

More information about the Logcheck-devel mailing list