[Logcheck-users] Why am I seeing a log line?
Yves Goergen
nospam.list at unclassified.de
Sat Dec 23 21:10:59 CET 2006
Hi,
I have setup logcheck on my Debian system and added the following lines
to filter out the common spamd messages from SpamAssassin:
(Quoted to keep the lines together)
/etc/logcheck/ignore.d.server/spamd
> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]*\]: spamd: connection from [._[:alnum:]-]+ \[[\.[:digit:]]+\] at port [0-9]+$
> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]*\]: info: setuid to [[:alnum:]-]+ succeeded$
> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]*\]: spamd: (checking|processing) message .* for [._[:alnum:]-]+:[0-9]+$
> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]*\]: spamd: clean message \([0-9.-]+/[0-9.]+\) for [._[:alnum:]-]+:[0-9]+ in [0-9.]+ seconds, [0-9]+ bytes\.$
> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]*\]: spamd: identified spam \([0-9.-]+/[0-9.]+\) for [._[:alnum:]-]+:[0-9]+ in [0-9.]+ seconds, [0-9]+ bytes\.$
> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]*\]: spamd: result: .*,user=nobody,
> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]*\]: prefork: child states: [IBS]+$
> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]*\]: spamd: handled cleanup of child pid [0-9]+ due to SIGCHLD$
> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]*\]: spamd: server successfully spawned child process, pid [0-9]+$
/etc/logcheck/violations.ignore.d/logcheck-spamd
> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: Cannot open bayes databases (/root|/home/[_[:alnum:]-]+)/.spamassassin/bayes_\* R/W: lock failed: (File exists|Interrupted system call)$
> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: failed sanity check, [0-9]+ bytes claimed, [0-9-]+ bytes seen$
> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: spamd: (processing|checking) message <.+> for .+:[0-9]+\.?$
> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]*\]: spamd: result: .*,user=nobody,
Now I keep getting reports with lines like these:
> Dec 22 03:11:16 mond spamd[26994]: spamd: result: Y 21 - BAYES_99,BOTNET,DATE_IN_PAST_03_06,RCVD_FORGED_WROTE,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_NJABL_DUL,RCVD_IN_SORBS_DUL,RCVD_IN_XBL scantime=4.3,size=1877,user=nobody,uid=0,required_score=5.0,rhost=mond,raddr=127.0.0.1,rport=32924,mid=<01c7256e$733bd600$6c822ecf at lazilyattackers>,bayes=1,autolearn=spam
> Dec 12 03:05:28 mond spamd[4736]: spamd: result: . 0 - AWL,BAYES_00,HTML_90_100,HTML_MESSAGE,HTML_TITLE_EMPTY,MIME_BASE64_NO_NAME,MIME_BASE64_TEXT scantime=4.5,size=56886,user=nobody,uid=0,required_score=5.0,rhost=mond,raddr=127.0.0.1,rport=47854,mid=<20061212020506.7BFA11E4320 at www.scooter-attack.com>,bayes=1.21014309684142e-14,autolearn=no
> Dec 8 02:09:55 mond spamd[12414]: spamd: result: Y 18 - BAYES_99,RCVD_IN_DSBL,RCVD_IN_NJABL_DUL,RCVD_IN_SORBS_DUL,SARE_MLB_Stock1,SARE_MLB_Stock4,SARE_PROLOSTOCK_SYM1,STOCK_NAME_FVGT1 scantime=2.4,size=1994,user=nobody,uid=0,required_score=5.0,rhost=mond,raddr=127.0.0.1,rport=46164,mid=<01c71a65$90b50530$6c822ecf at Gothicscounterattacks>,bayes=1,autolearn=spam
I understand that they contain keywords like "attack" or "failed" and
are considered as a security issue, but they're not. Why don't the rules
filter these lines out? It works with other things, but not with these.
--
Yves Goergen "LonelyPixel" <nospam.list at unclassified.de>
Visit my web laboratory at http://beta.unclassified.de
More information about the Logcheck-users
mailing list