package logcheck-database tags 303128 moreinfo thanks On Mon, 2005-04-04 at 18:34 -0400, Douglas F. Calvert wrote: > Thank you for adding rules for procmail/postfix. I am still seeing a number > of messages that I do not wish to see and I can not figure out the > appropriate regexp. > The relvant lines are included below... > > courier-imap: > Apr 4 07:11:02 terminus imaplogin: LOGOUT, user=user, > ip=[::ffff:69.56.216.138], headers=0, body=0, time=20
Firstly, courier-imap rules are provided in the courier-imap package,
any bugs reports regarding these rules should filed against the
courier-imap package.
Secondly, the rule in ignore.d.server/courier-imap matches the log
message above, so you shouldn't be seeing these messages:
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ imaplogin: LOGOUT,
[EMAIL PROTECTED]:alnum:]]+, ip=\[[.:[:alnum:]]+\], headers=[0-9]+,
body=[0-9]+, time=[0-9]+$
Can you check that you have ignore.d.server/courier-imap and that it
contains this rule?
> amavis:
> Apr 4 07:11:55 terminus amavis[6620]: (06620-03-4) Passed, <[EMAIL
> PROTECTED]> -> <[EMAIL PROTECTED]>, Message-ID: <[EMAIL PROTECTED]>, Hits: -
> Apr 4 07:11:55 terminus amavis[6620]: (06620-03-5) Passed, <[EMAIL
> PROTECTED]> -> <[EMAIL PROTECTED]>,<[EMAIL PROTECTED]>, Message-ID: <[EMAIL
> PROTECTED]>, Hits: -
Again, rules for amavisd-new are provided in the amavisd-new package and
the rules match these messages..
> spamd (these are reported as security events at the server report level):
> Apr 4 07:07:08 terminus spamd[22281]: result: Y 42 -
> AWL,BAYES_99,DNS_FROM_RFC_POST,DNS_FROM_RFC_WHOIS,DOMAIN_RATIO,HEAD_ILLEGAL_CHARS,HTML_90_100,HTML_IMAGE_ONLY_16,HTML_MESSAGE,HTTP_ESCAPED_HOST,HTTP_EXCESSIVE_ESCAPES,MIME_BOUND_DD_DIGITS,MIME_HTML_ONLY,MIME_HTML_ONLY_MULTI,MIME_QP_LONG_LINE,MISSING_MIMEOLE,MPART_ALT_DIFF,MSGID_SPAM_CAPS,MSGID_YAHOO_CAPS,RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,RCVD_NUMERIC_HELO,SUBJ_ILLEGAL_CHARS,URIBL_AB_SURBL,URIBL_OB_SURBL,URIBL_SC_SURBL,URIBL_WS_SURBL
> scantime=11.6,size=2862,mid=<[EMAIL PROTECTED]>,bayes=1,autolearn=spam
> Apr 4 07:07:09 terminus spamd[21539]: result: Y 43 -
> AWL,BAYES_99,DNS_FROM_RFC_POST,DNS_FROM_RFC_WHOIS,DOMAIN_RATIO,HEAD_ILLEGAL_CHARS,HTML_90_100,HTML_IMAGE_ONLY_16,HTML_MESSAGE,HTTP_ESCAPED_HOST,HTTP_EXCESSIVE_ESCAPES,MIME_BOUND_DD_DIGITS,MIME_HTML_ONLY,MIME_HTML_ONLY_MULTI,MIME_QP_LONG_LINE,MISSING_MIMEOLE,MPART_ALT_DIFF,MSGID_SPAM_CAPS,MSGID_YAHOO_CAPS,RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,RCVD_NUMERIC_HELO,SUBJ_ILLEGAL_CHARS,URIBL_AB_SURBL,URIBL_OB_SURBL,URIBL_SC_SURBL,URIBL_WS_SURBL
> scantime=12.4,size=2860,mid=<[EMAIL PROTECTED]>,bayes=1,autolearn=spam
Ditto. The file violations.ignore.d/spamassassin is provided by the
spamassassin package and includes a rule to ignore these messages.
Check that these files exist and that their permissions are such that
logcheck can read them.
> spamd (these are not security events):
>
> Apr 4 08:00:25 terminus spamd[27462]: server hit by SIGCHLD
> Apr 4 08:00:25 terminus spamd[27462]: handled cleanup of child pid 22281
> Apr 4 08:00:25 terminus spamd[27462]: server successfully spawned child
> process, pid 9148
These look like startup/shutdown messages which we want to report, since
it could mean a security problem of some kind. If you find it really
annoying you can put some rules to ignore those messages in a local-foo
file in ignore.d.server/ (it won't get overwritten during a package
upgrade, either).
-j
--
-jamie <[EMAIL PROTECTED]> | spamtrap: [EMAIL PROTECTED]
w: http://www.silverdream.org | p: [EMAIL PROTECTED]
pgp key @ http://silverdream.org/~jps/pub.key
21:30:02 up 17 min, 2 users, load average: 2.65, 2.52, 1.58
signature.asc
Description: This is a digitally signed message part
