[Logcheck-devel] Bug#303128: logcheck-database: rules for amavis / courier imapd / spamd

Jamie L. Penman-Smithson jamie at silverdream.org
Thu Apr 7 15:39:46 UTC 2005 

package logcheck-database
tags 303128 moreinfo
thanks

On Mon, 2005-04-04 at 18:34 -0400, Douglas F. Calvert wrote:
>  Thank you for adding rules for procmail/postfix. I am still seeing a number of messages that I do not wish to see and I can not figure out the appropriate regexp. 
> The relvant lines are included below...
> 
> courier-imap:
> Apr  4 07:11:02 terminus imaplogin: LOGOUT, user=user, ip=[::ffff:69.56.216.138], headers=0, body=0, time=20

Firstly, courier-imap rules are provided in the courier-imap package,
any bugs reports regarding these rules should filed against the
courier-imap package.

Secondly, the rule in ignore.d.server/courier-imap matches the log
message above, so you shouldn't be seeing these messages:

^\w{3} [ :0-9]{11} [._[:alnum:]-]+ imaplogin: LOGOUT,
user=[-_.@[:alnum:]]+, ip=\[[.:[:alnum:]]+\], headers=[0-9]+,
body=[0-9]+, time=[0-9]+$

Can you check that you have ignore.d.server/courier-imap and that it
contains this rule?

> amavis:
> Apr  4 07:11:55 terminus amavis[6620]: (06620-03-4) Passed, <kjalj3lad at yahoo.com> -> <doug at localhost>, Message-ID: <UXSGTOABBRKUCVSYGYSXW at hotmail.com>, Hits: -
> Apr  4 07:11:55 terminus amavis[6620]: (06620-03-5) Passed, <jasfdah at howisonmarine.com> -> <WISE_STEPHEN_D at LILLY.COM>,<rfdtxch at localhost>, Message-ID: <425123D8.9060709 at howisonmarine.com>, Hits: -

Again, rules for amavisd-new are provided in the amavisd-new package and
the rules match these messages..

> spamd (these are reported as security events at the server report level):
> Apr  4 07:07:08 terminus spamd[22281]: result: Y 42 - AWL,BAYES_99,DNS_FROM_RFC_POST,DNS_FROM_RFC_WHOIS,DOMAIN_RATIO,HEAD_ILLEGAL_CHARS,HTML_90_100,HTML_IMAGE_ONLY_16,HTML_MESSAGE,HTTP_ESCAPED_HOST,HTTP_EXCESSIVE_ESCAPES,MIME_BOUND_DD_DIGITS,MIME_HTML_ONLY,MIME_HTML_ONLY_MULTI,MIME_QP_LONG_LINE,MISSING_MIMEOLE,MPART_ALT_DIFF,MSGID_SPAM_CAPS,MSGID_YAHOO_CAPS,RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,RCVD_NUMERIC_HELO,SUBJ_ILLEGAL_CHARS,URIBL_AB_SURBL,URIBL_OB_SURBL,URIBL_SC_SURBL,URIBL_WS_SURBL scantime=11.6,size=2862,mid=<TFJTTROCINKDGKEOJUTOTFS at yahoo.com>,bayes=1,autolearn=spam
> Apr  4 07:07:09 terminus spamd[21539]: result: Y 43 - AWL,BAYES_99,DNS_FROM_RFC_POST,DNS_FROM_RFC_WHOIS,DOMAIN_RATIO,HEAD_ILLEGAL_CHARS,HTML_90_100,HTML_IMAGE_ONLY_16,HTML_MESSAGE,HTTP_ESCAPED_HOST,HTTP_EXCESSIVE_ESCAPES,MIME_BOUND_DD_DIGITS,MIME_HTML_ONLY,MIME_HTML_ONLY_MULTI,MIME_QP_LONG_LINE,MISSING_MIMEOLE,MPART_ALT_DIFF,MSGID_SPAM_CAPS,MSGID_YAHOO_CAPS,RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,RCVD_NUMERIC_HELO,SUBJ_ILLEGAL_CHARS,URIBL_AB_SURBL,URIBL_OB_SURBL,URIBL_SC_SURBL,URIBL_WS_SURBL scantime=12.4,size=2860,mid=<TFJTTROCINKDGKEOJUTOTFS at yahoo.com>,bayes=1,autolearn=spam

Ditto. The file violations.ignore.d/spamassassin is provided by the
spamassassin package and includes a rule to ignore these messages.

Check that these files exist and that their permissions are such that
logcheck can read them.

> spamd (these are not security events):
> 
> Apr  4 08:00:25 terminus spamd[27462]: server hit by SIGCHLD
> Apr  4 08:00:25 terminus spamd[27462]: handled cleanup of child pid 22281
> Apr  4 08:00:25 terminus spamd[27462]: server successfully spawned child process, pid 9148

These look like startup/shutdown messages which we want to report, since
it could mean a security problem of some kind. If you find it really
annoying you can put some rules to ignore those messages in a local-foo
file in ignore.d.server/ (it won't get overwritten during a package
upgrade, either).

-j

-- 
-jamie <jamie at silverdream.org> | spamtrap: spam at silverdream.org
 w: http://www.silverdream.org | p: sms at silverdream.org
 pgp key @ http://silverdream.org/~jps/pub.key
 21:30:02 up 17 min,  2 users,  load average: 2.65, 2.52, 1.58

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20050407/0f474cc4/attachment.pgp

More information about the Logcheck-devel mailing list