[Logwatch-Devel] mailscanner tweaks

John Wilcock john at tradoc.fr
Wed Jun 1 00:37:33 MST 2005


Mike Tremaine wrote:
> I posted a new mailscanner script with some Postfix greylisting code
> from Skip Montanaro [thanks!]. Anyone with Postfix/MailScanner shoudl
> gice this one a test for me before I commit it. [Skip you can make sure
> I got everything in and that nothing broke on the jump from 1.4 to 1.7]

This doesn't actually break anything AFAICT, but it doesn't seem to work 
as intended either. The reason, I think, is that this script only sees 
mailscanner log lines, not postfix ones. The greylisting stuff therefore 
needs to be moved to the postfix script - the unknown local addresses 
and helo rejected are already logged by that anyway.

However, Mike, I do have a patch of my own for you (attached) for the 
mailscanner script (diff against the version from the logwatch 6.1 rpm), 
catering for new output from f-prot, adding a filter for MailScanner's 
HTML object disarming -- and also correcting the typo "Times(s)" to 
"Time(s)" throughout the script!


John.

-- 
-- Over 2500 webcams from ski resorts around the world - www.snoweye.com
-- Translate your technical documents and web pages    - www.tradoc.fr
-------------- next part --------------
--- mailscanner-lw61	2005-06-01 09:13:29.000000000 +0200
+++ mailscanner-jw	2005-06-01 09:08:09.000000000 +0200
@@ -26,6 +26,7 @@
 my $MailScan_Unscanned = 0;
 my $MailScan_Virus = 0;
 my $SA_timeout = 0;
+my $MailScan_ScannerTimeout = 0;
 
 while (defined($ThisLine = <STDIN>)) {
    #($QueueID) = ($ThisLine =~ m/^([a-zA-Z0-9]+): / );
@@ -50,7 +51,7 @@
          ( $ThisLine =~ m/Virus Scanning: ClamAV Module found [\d]+ infections/ ) or
          ( $ThisLine =~ m/^ClamAV virus database has been updated/ ) or
          ( $ThisLine =~ m/^ClamAV update of/ ) or
-         ( $ThisLine =~ m/Message .+ is spam, Spam/ ) or
+#         ( $ThisLine =~ m/Message .+ is spam, Spam/ ) or
          ( $ThisLine =~ m/Saved entire message to/ ) or
          ( $ThisLine =~ m/Spam Checks: Starting/ ) or
          ( $ThisLine =~ m/SophosSAVI .+ recognizing [0-9]+ viruses/ ) or
@@ -58,7 +59,7 @@
          ( $ThisLine =~ m/Sophos SAVI library has been updated/ ) or
          ( $ThisLine =~ m/Sophos.*update.* detected, resetting SAVI/ ) or
          ( $ThisLine =~ m/RBL checks: .+ found in RFC-IGNORANT-POSTMASTER/ ) or
-         ( $ThisLine =~ m/Message .+ from .+ to .+ is spam/ ) or
+#         ( $ThisLine =~ m/Message .+ from .+ to .+ is spam/ ) or
          ( $ThisLine =~ m/F-Prot found/ ) or
          ( $ThisLine =~ m/SpamAssassin Bayes database rebuild starting|preparing|completed/ ) or
          ( $ThisLine =~ m/Rebuilding SpamAssassin Bayes database/ ) or
@@ -75,7 +76,8 @@
          ( $ThisLine =~ m/^Finished initialising database connection/ ) or
          ( $ThisLine =~ m/^Disconnected from the database/ ) or
          ( $ThisLine =~ m/^<A> tag found in message/ ) or
-         ( $ThisLine =~ m/^Viruses marked as silent:/ ) 
+         ( $ThisLine =~ m/^Viruses marked as silent:/ ) or
+         ( $ThisLine =~ m/^Saved archive copies of/ )
    ) {
       # We don't care about these
    } elsif ( $ThisLine =~ m/New Batch: Scanning ([0-9]+) messages, ([0-9]+) bytes/i) {
@@ -107,6 +109,12 @@
    } elsif ($ThisLine =~ m/^\/var\/spool\/MailScanner\/incoming\/.+ Infection: (.+)/i) {
       $VirusType_Fprot{$1}++;
       $MailScan_Virus_Fprot++;
+   } elsif ($ThisLine =~ m/^\/var\/spool\/MailScanner\/incoming\/.+ is a security risk named (.+)/i) {
+      $VirusType_Fprot{$1}++;
+      $MailScan_Virus_Fprot++;
+   } elsif ($ThisLine =~ m/^\.\/.+ is a dropper for (.+)/i) {
+      $VirusType_Fprot{$1}++;
+      $MailScan_Virus_Fprot++;
    } elsif ($ThisLine =~ m/^\/var\/spool\/MailScanner\/incoming\/.+ could be/i) {
       $MailScan_Virus_Fprot++;
    } elsif ($ThisLine =~ m/Found the (.+) virus !!!/) {
@@ -118,6 +126,9 @@
    } elsif ($ThisLine =~ m/SophosSAVI::INFECTED:: (.+)::/) {
       $VirusType_SophosSavi{$1}++;
       $MailScan_Virus_SophosSavi++;
+   } elsif ($ThisLine =~ m/Commercial scanner (.+) timed out!/){
+      $VirusScannerTimeout{$1}++;
+      $MailScan_ScannerTimeout++;
    } elsif ($ThisLine =~ m/Content Checks: Detected (.+) in [\w]+/i) {
       $ContentType{$1}++;
    } elsif ($ThisLine =~ m/Filename Checks: Allowing (.+)/i) {
@@ -166,6 +177,9 @@
    } elsif ($ThisLine =~ m/^HTML-IFrame tag found in message .+ from (.+)/) {
       $MailScan_IframeTag++;
       $IframeTagSource{$1}++;
+   } elsif ($ThisLine =~ m/^HTML-Object tag found in message .+ from (.+)/) {
+      $MailScan_ObjectTag++;
+      $ObjectTagSource{$1}++;
    } else {
       chomp($ThisLine);
       # Report any unmatched entries...
@@ -223,59 +237,66 @@
    print "\n\t" . $SA_timeout . " SpamAssassin timeout(s)\n";
 }
 
+if (keys %VirusScannerTimeout) {
+   print "\n\t" . $MailScan_ScannerTimeout . " virus scanner timeout(s)\n";
+   foreach $ThisOne (sort keys %VirusScannerTimeout) {
+      print "\t    " . $ThisOne . ": " . $VirusScannerTimeout{$ThisOne} . " Time(s)\n";
+   }
+}
+
 if (keys %VirusType_ClamAv) {
    print "\nClamAV Virus Report: (Total Seen = $MailScan_Virus_ClamAv)\n";
    foreach $ThisOne (sort keys %VirusType_ClamAv) {
-      print '    ' . $ThisOne . ': ' . $VirusType_ClamAv{$ThisOne} . " Times(s)\n";
+      print '    ' . $ThisOne . ': ' . $VirusType_ClamAv{$ThisOne} . " Time(s)\n";
    }
 }
 
 if (keys %VirusType_ClamAVModule) {
    print "\nClamAVModule Virus Report: (Total Seen = $MailScan_Virus_ClamAVModule)\n";
    foreach $ThisOne (sort keys %VirusType_ClamAVModule) {
-   print '    ' . $ThisOne . ': ' . $VirusType_ClamAVModule{$ThisOne} . " Times(s)\n";
+   print '    ' . $ThisOne . ': ' . $VirusType_ClamAVModule{$ThisOne} . " Time(s)\n";
    }
 }
 
 if (keys %VirusType_Fprot) {
    print "\nF-Prot Virus Report: (Total Seen = $MailScan_Virus_Fprot)\n";
    foreach $ThisOne (sort keys %VirusType_Fprot) {
-      print '    ' . $ThisOne . ': ' . $VirusType_Fprot{$ThisOne} . " Times(s)\n";
+      print '    ' . $ThisOne . ': ' . $VirusType_Fprot{$ThisOne} . " Time(s)\n";
    }
 }
 
 if (keys %VirusType_McAfee) {
    print "\nMcAfee Virus Report: (Total Seen = $MailScan_Virus_McAfee)\n";
    foreach $ThisOne (sort keys %VirusType_McAfee) {
-      print '    ' . $ThisOne . ': ' . $VirusType_McAfee{$ThisOne} . " Times(s)\n";
+      print '    ' . $ThisOne . ': ' . $VirusType_McAfee{$ThisOne} . " Time(s)\n";
    }
 }
 
 if (keys %VirusType_Sophos) {
    print "\nSophos Virus Report: (Total Seen = $MailScan_Virus_Sophos)\n";
    foreach $ThisOne (sort keys %VirusType_Sophos) {
-      print '    ' . $ThisOne . ': ' . $VirusType_Sophos{$ThisOne} . " Times(s)\n";
+      print '    ' . $ThisOne . ': ' . $VirusType_Sophos{$ThisOne} . " Time(s)\n";
    }
 }
 
 if (keys %VirusType_SophosSavi) {
    print "\nSophosSavi Virus Report: (Total Seen = $MailScan_Virus_SophosSavi)\n";
    foreach $ThisOne (sort keys %VirusType_SophosSavi) {
-   print '    ' . $ThisOne . ': ' . $VirusType_SophosSavi{$ThisOne} . " Times(s)\n";
+   print '    ' . $ThisOne . ': ' . $VirusType_SophosSavi{$ThisOne} . " Time(s)\n";
    }
 }
 
 if (keys %Hostlist) {
    print "\nVirus Sender Report: (Total Seen = $MailScan_VirualHost)\n";
    foreach $ThisOne (sort keys %Hostlist) {
-      print '    ' . $ThisOne . ': ' . $Hostlist{$ThisOne} . " Times(s)\n";
+      print '    ' . $ThisOne . ': ' . $Hostlist{$ThisOne} . " Time(s)\n";
    }
 }
 
 if (keys %Whitelisted_Host) {
    print "\nSpam Whitelisted Host Report: (Total Seen = $MailScan_Whitelisted)\n";
    foreach $ThisOne (sort keys %Whitelisted_Host) {
-   print '    ' . $ThisOne . ': ' . $Whitelisted_Host{$ThisOne} . " Times(s)\n";
+   print '    ' . $ThisOne . ': ' . $Whitelisted_Host{$ThisOne} . " Time(s)\n";
    }
 }
 
@@ -283,14 +304,14 @@
 if (keys %Blacklisted_Host) {
    print "\nSpam Blacklisted Host Report: (Total Seen = $MailScan_Blacklisted)\n";
    foreach $ThisOne (sort keys %Blacklisted_Host) {
-      print '    ' . $ThisOne . ': ' . $Blacklisted_Host{$ThisOne} . " Times(s)\n";
+      print '    ' . $ThisOne . ': ' . $Blacklisted_Host{$ThisOne} . " Time(s)\n";
    }
 }
 
 if (keys %ContentType) {
    print "\nContent Report: (Total Seen = $MailScan_Content)\n";
    foreach $ThisOne (sort keys %ContentType) {
-      print '    ' . $ThisOne . ': ' . $ContentType{$ThisOne} . " Times(s)\n";
+      print '    ' . $ThisOne . ': ' . $ContentType{$ThisOne} . " Time(s)\n";
    }
 }
 
@@ -298,7 +319,7 @@
    print "\nAllowed Filename Report: (Total Seen = $MailScan_FileAllow)\n";
    if ($Detail >= 10) {
       foreach $ThisOne (sort keys %FilenameAllow) {
-         print '    ' . $ThisOne . ': ' . $FilenameAllow{$ThisOne} . " Times(s)\n";
+         print '    ' . $ThisOne . ': ' . $FilenameAllow{$ThisOne} . " Time(s)\n";
       }
    } else {
       print '    ' . "Details Suppressed at level $Detail. Level 10 required.\n";
@@ -308,39 +329,46 @@
 if (keys %FilenameType) {
    print "\nBanned Filename Report: (Total Seen = $MailScan_Other)\n";
    foreach $ThisOne (sort keys %FilenameType) {
-      print '    ' . $ThisOne . ': ' . $FilenameType{$ThisOne} . " Times(s)\n";
+      print '    ' . $ThisOne . ': ' . $FilenameType{$ThisOne} . " Time(s)\n";
    }
 }
 
 if (keys %PhishingSource) {
    print "\nPhishing Report: (Total Seen = $MailScan_Phishing)\n";
    foreach $ThisOne (sort keys %PhishingSource) {
-      print '    ' . $ThisOne . ': ' . $PhishingSource{$ThisOne} . " Times(s)\n";
+      print '    ' . $ThisOne . ': ' . $PhishingSource{$ThisOne} . " Time(s)\n";
    };
    print "\n  Detail:\n";
    foreach $ThisOne (sort keys %PhishingSourceDest) {
-      print '    ' . $ThisOne . ': ' . $PhishingSourceDest{$ThisOne} . " Times(s)\n";
+      print '    ' . $ThisOne . ': ' . $PhishingSourceDest{$ThisOne} . " Time(s)\n";
    }
 }
 
 if (keys %FormTagSource) {
    print "\nHTML <FORM> tag report: (Total Seen = $MailScan_FormTag)\n";
    foreach $ThisOne (sort keys %FormTagSource) {
-      print '    ' . $ThisOne . ': ' . $FormTagSource{$ThisOne} . " Times(s)\n";
+      print '    ' . $ThisOne . ': ' . $FormTagSource{$ThisOne} . " Time(s)\n";
    }
 }
 
 if (keys %ScriptTagSource) {
    print "\nHTML <SCRIPT> tag report: (Total Seen = $MailScan_ScriptTag)\n";
    foreach $ThisOne (sort keys %ScriptTagSource) {
-      print '    ' . $ThisOne . ': ' . $ScriptTagSource{$ThisOne} . " Times(s)\n";
+      print '    ' . $ThisOne . ': ' . $ScriptTagSource{$ThisOne} . " Time(s)\n";
    }
 }
 
 if (keys %IframeTagSource) {
    print "\nHTML <IFRAME> tag report: (Total Seen = $MailScan_IframeTag)\n";
    foreach $ThisOne (sort keys %IframeTagSource) {
-      print '    ' . $ThisOne . ': ' . $IframeTagSource{$ThisOne} . " Times(s)\n";
+      print '    ' . $ThisOne . ': ' . $IframeTagSource{$ThisOne} . " Time(s)\n";
+   }
+}
+
+if (keys %ObjectTagSource) {
+   print "\nHTML <OBJECT> tag report: (Total Seen = $MailScan_ObjectTag)\n";
+   foreach $ThisOne (sort keys %ObjectTagSource) {
+      print '    ' . $ThisOne . ': ' . $ObjectTagSource{$ThisOne} . " Time(s)\n";
    }
 }
 


More information about the Logwatch-Devel mailing list