Package: logcheck-database
Version: 1.2.42
Followup-For: Bug #336558
Here's some additional information on the spamd rules and a try at a more
restrictive rule. It's hard to get a good restrictive rule written, since
on the spam detection rules, spamd puts basically arbitrary key=value pairs
into the log.
Here are the troublesome log entries:
Nov 11 11:04:09 windlord spamd[12237]: spamd: result: Y 54 -
BAYES_99,FORGED_MUA_OUTLOOK,FORGED_OUTLOOK_HTML,FORGED_RCVD_HELO,FROM_ILLEGAL_CHARS,HTML_IMAGE_ONLY_12,HTML_MESSAGE,HTML_SHORT_LINK_IMG_1,HTML_TAG_BALANCE_BODY,MIME_BOUND_NEXTPART,MIME_HTML_ONLY,MIME_HTML_ONLY_MULTI,NO_DNS_FOR_FROM,RCVD_DOUBLE_IP_SPAM,RCVD_HELO_IP_MISMATCH,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_DSBL,RCVD_IN_SORBS_DUL,RCVD_IN_WHOIS_BOGONS,RCVD_IN_WHOIS_INVALID,RCVD_IN_XBL,RCVD_NUMERIC_HELO,SUBJ_ILLEGAL_CHARS,URIBL_AB_SURBL,URIBL_SBL
scantime=1.8,size=2060,user=neilc,uid=1001,required_score=5.0,rhost=localhost,raddr=127.0.0.1,rport=38347,mid=<[EMAIL
PROTECTED]>,bayes=1,autolearn=spam
Nov 11 11:07:31 windlord spamd[4234]: prefork: child states: II
Nov 11 11:10:20 windlord spamd[12237]: spamd: setuid to neilc succeeded
Nov 11 09:31:55 windlord spamd[12237]: spamd: result: . 3 -
AWL,BAYES_99,DNS_FROM_AHBL_RHSBL,HTML_90_100,HTML_IMAGE_RATIO_02,HTML_MESSAGE,MIME_HTML_ONLY,SPF_PASS
scantime=5.5,size=8255,user=neilc,uid=1001,required_score=5.0,rhost=localhost,raddr=127.0.0.1,rport=53812,mid=<[EMAIL
PROTECTED]>,bayes=0.999999843657468,autolearn=no
and the patch is attached.
-- System Information:
Debian Release: testing/unstable
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12-1-686
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) (ignored: LC_ALL set to C)
Versions of packages logcheck-database depends on:
ii debconf [debconf-2.0] 1.4.58 Debian configuration management sy
logcheck-database recommends no packages.
-- debconf information:
logcheck-database/conffile-cleanup: false
* logcheck-database/rules-directories-note:
logcheck-database/standard-rename-note:
--- logcheck-1.2.42/rulefiles/linux/ignore.d.server/spamd.orig 2005-10-21
07:56:54.000000000 -0700
+++ logcheck-1.2.42/rulefiles/linux/ignore.d.server/spamd 2005-11-11
14:09:14.000000000 -0800
@@ -1,6 +1,7 @@
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: (spamd: )?connection from
[._[:alnum:]-]+ \[[\.[:digit:]]+\] at port [0-9]+$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: (spamd: )?info: setuid to
[[:alnum:]-]+ succeeded$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: (spamd: )?(info: )?setuid
to [[:alnum:]-]+ succeeded$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: (spamd:
)?(checking|processing) message [^[:space:]]+ for [._[:alnum:]-]+:[0-9]+(\.)?$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: (spamd: )?clean message
\([0-9.-]+/[0-9.]+\) for [._[:alnum:]-]+:[0-9]+ in [0-9.]+ seconds, [0-9]+
bytes\.$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: (spamd: )?identified spam
\([0-9.-]+/[0-9.]+\) for [._[:alnum:]-]+:[0-9]+ in [0-9.]+ seconds, [0-9]+
bytes\.$
-Oct 21 13:06:02 localhost spamd[5468]: spamd: processing message (unknown) for
siaco:1000
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: (spamd: )?result: . [-0-9
]+ - [._[:alnum:],] ([:alnum:]+=[^[:space:]])+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: prefork: child states: I+$
--- logcheck-1.2.42/rulefiles/linux/violations.ignore.d/logcheck-spamd.orig
2004-07-30 14:59:18.000000000 -0700
+++ logcheck-1.2.42/rulefiles/linux/violations.ignore.d/logcheck-spamd
2005-11-11 14:09:33.000000000 -0800
@@ -1,3 +1,4 @@
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: Cannot open bayes
databases /home/[_[:alnum:]-]+/.spamassassin/bayes_\* R/W: lock failed: File
exists$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: failed sanity check,
[0-9]+ bytes claimed, [0-9-]+ bytes seen$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: processing message <.+>
for .+:[0-9]+\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: (spamd: )?result: . [-0-9
]+ - [._[:alnum:],] ([:alnum:]+=[^[:space:]])+$
