[Logcheck-devel] Bug#336558: logcheck-database: better spamd rules

[Jamie L. Penman-Smithson]

tags 336558 pending
thanks

On 11 Nov 2005, at 22:14, Russ Allbery wrote:
> Here's some additional information on the spamd rules and a try at  
> a more
> restrictive rule.  It's hard to get a good restrictive rule  
> written, since
> on the spam detection rules, spamd puts basically arbitrary  
> key=value pairs
> into the log.
<snip>
> and the patch is attached.

Thanks for the patch, I've gone through all the messages in this bug  
and come up with some rules which match all of them.. at least until  
they get changed all over again. The rules for spamd are now:

[violations.ignore.d/logcheck-spamd]
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: Cannot open bayes  
databases /home/[_[:alnum:]-]+/.spamassassin/bayes_\* R/W: lock  
failed: File exists$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: failed sanity  
check, [0-9]+ bytes claimed, [0-9-]+ bytes seen$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: (spamd: )? 
(checking|processing) message <[^[:space:]]+> for [._[:alnum:]-]+: 
[0-9]+(\.)?$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: (spamd: )?result:  
(.|Y|N) [ [:digit:]-]+ - [._[:alnum:],]+ scantime=[0-9.]+,size=[0-9]+, 
(user=[a-z]+,uid=[0-9]+,required_score=[0-9.]+,rhost=[._[:alnum:]-] 
+,raddr=[0-9.]+,rport=[0-9]+,)?mid=<[^[:space:]]+>,(bayes=(0|1),)? 
autolearn=(ham|spam|no)$

[ignore.d.server/spamd]
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: (spamd: )? 
connection from [._[:alnum:]-]+ \[[\.[:digit:]]+\] at port [0-9]+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: (spamd: )? 
(info: )?setuid to [[:alnum:]-]+ succeeded$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: (spamd: )?clean  
message \([0-9.-]+/[0-9.]+\) for [._[:alnum:]-]+:[0-9]+ in [0-9.]+  
seconds, [0-9]+ bytes\.$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: (spamd: )? 
identified spam \([0-9.-]+/[0-9.]+\) for [._[:alnum:]-]+:[0-9]+ in  
[0-9.]+ seconds, [0-9]+ bytes\.$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: prefork: child  
states: I+$

The modifications will be included in the next release, which should  
be within the next 1-2 weeks.

Thanks,

-- 
-Jamie L. Penman-Smithson <jamie at silverdream.org>
  t: +44 1273 424795; f: +44 1273 424795
  PGP: C0A7 955E EED6 A309 23D7 863B C76A 26A3 F0DC FCA8
  never send mail to: oubliette.z at gmail.com


-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 186 bytes
Desc: This is a digitally signed message part
Url : http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20060212/dcee0012/attachment.pgp