[Logwatch-Devel] Patch for mailscanner

John Wilcock john at tradoc.fr
Tue Jan 3 00:49:49 MST 2006


This adds extra logging for Mailscanner's filetype checks and Html image 
tag logging, as well as ignoring various initialisation messages that 
occur when Mailscanner is used with Mailwatch's SQL-based white/blacklist.

John.

-- 
-- Over 2900 webcams from ski resorts around the world - www.snoweye.com
-- Translate your technical documents and web pages    - www.tradoc.fr
-------------- next part --------------
--- mailscanner-lw71	2006-01-03 08:35:56.000000000 +0100
+++ mailscanner	2006-01-03 08:44:00.000000000 +0100
@@ -17,7 +17,7 @@
 ########################################################
 
 my $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0;
-my $phising_detail = $ENV{'mailscanner_phishing_detail'} || 0;
+my $phishing_detail = $ENV{'mailscanner_phishing_detail'} || 0;
 
 #Inits
 my $MailScan_bytes = 0;
@@ -82,7 +82,11 @@
          ( $ThisLine =~ m/^<A> tag found in message/ ) or
          ( $ThisLine =~ m/^Viruses marked as silent:/ ) or
          ( $ThisLine =~ m/^Saved archive copies of/ ) or
-         ( $ThisLine =~ m/Logging message .+ to SQL/ )
+         ( $ThisLine =~ m/^Logging message .+ to SQL/ ) or
+         ( $ThisLine =~ m/^Started SQL Logging child/ ) or
+         ( $ThisLine =~ m/^Starting up SQL Whitelist|Blacklist/ ) or
+         ( $ThisLine =~ m/^Read .+ whitelist|blacklist entries/ ) or
+         ( $ThisLine =~ m/^Closing down by-domain spam whitelist|blacklist/ ) 
    ) {
       # We don't care about these
    } elsif ( $ThisLine =~ m/New Batch: Scanning ([0-9]+) messages, ([0-9]+) bytes/i) {
@@ -144,25 +148,52 @@
    } elsif ($ThisLine =~ m/Commercial scanner (.+) timed out!/){
       $VirusScannerTimeout{$1}++;
       $MailScan_ScannerTimeout++;
+   } elsif ($ThisLine =~ m/Content Checks: Detected and have disarmed (.+) in HTML message in [\w]+/i) {
+      $ContentType{$1}++;
+      $MailScan_Content++;
    } elsif ($ThisLine =~ m/Content Checks: Detected (.+) in [\w]+/i) {
       $ContentType{$1}++;
+      $MailScan_Content++;
    } elsif ($ThisLine =~ m/Filename Checks: Allowing (.+)/i) {
       if ($ThisLine =~ m/Allowing.*msg\-[0-9]*\-[0-9]*\.[txt|dat|html]/) {
       # we don't care about these, regular messages
       } else {
-      #filter sendmail tag and "(no rule matched)"
+      #filter sendmail or postfix tag and "(no rule matched)"
       my $temp_fc = $1;
       $temp_fc =~ s/[a-z0-9]{14}\s//i;
+      $temp_fc =~ s/[a-z0-9]{9,12}\.[a-z0-9]{5}\s//i;
       $temp_fc =~ s/\(no rule matched\)//i;
       $FilenameAllow{$temp_fc}++;
-      $MailScan_FileAllow++;
+      $MailScan_FilenameAllow++;
       }
    } elsif ($ThisLine =~ m/Filename Checks: (.+)/i) {
-      #filter sendmail tag
+      #filter sendmail or postfix tag
       my $temp_fc = lc($1);
       $temp_fc =~ s/\([a-z0-9]{14}\s/\(/i;
+      $temp_fc =~ s/\([a-z0-9]{9,12}\.[a-z0-9]{5}\s/\(/i;
       $temp_fc =~ s/\s{10,}/ -space- /;
       $FilenameType{$temp_fc}++;
+      $MailScan_FilenameBanned++;
+   } elsif ($ThisLine =~ m/Filetype Checks: Allowing (.+)/i) {
+      if ($ThisLine =~ m/Allowing.*msg\-[0-9]*\-[0-9]*\.[txt|dat|html]/) {
+      # we don't care about these, regular messages
+      } else {
+      #filter sendmail or postfix tag and "(no match found)"
+      my $temp_fc = $1;
+      $temp_fc =~ s/[a-z0-9]{14}\s//i;
+      $temp_fc =~ s/[a-z0-9]{9,12}\.[a-z0-9]{5}\s//i;
+      $temp_fc =~ s/\(no match found\)//i;
+      $FiletypeAllow{$temp_fc}++;
+      $MailScan_FiletypeAllow++;
+      }
+   } elsif ($ThisLine =~ m/Filetype Checks: (.+)/i) {
+      #filter sendmail or postfix tag
+      my $temp_fc = lc($1);
+      $temp_fc =~ s/\([a-z0-9]{14}\s/\(/i;
+      $temp_fc =~ s/\([a-z0-9]{9,12}\.[a-z0-9]{5}\s/\(/i;
+      $temp_fc =~ s/\s{10,}/ -space- /;
+      $FiletypeType{$temp_fc}++;
+      $MailScan_FiletypeBanned++;
    } elsif ($ThisLine =~ m/(Password\-protected archive \(.+\)) in \w+/i) {
       $MailScan_Other = $MailScan_Other + 1;
       $FilenameType{$1}++;
@@ -179,9 +210,9 @@
    } elsif ($ThisLine =~ m/^Found phishing fraud from (.+) claiming to be (.+) in (.+)/) {
       $MailScan_Phishing++;
       $PhishingSource{$1}++;
-      #Detailed phising output set in mailscanner.conf
-      #With variable mailscanner_phising_detail = 1
-      if ($phising_detail) {
+      #Detailed phishing output set in mailscanner.conf
+      #With variable mailscanner_phishing_detail = 1
+      if ($phishing_detail) {
          $PhishingSourceDest{"$1 claiming to be $2 in $3"}++;
       } else {
          $PhishingSourceDest{"$1 claiming to be $2"}++;
@@ -201,6 +232,9 @@
    } elsif ($ThisLine =~ m/^HTML-Object tag found in message .+ from (.+)/) {
       $MailScan_ObjectTag++;
       $ObjectTagSource{$1}++;
+   } elsif ($ThisLine =~ m/^HTML Img tag found in message .+ from (.+)/) {
+      $MailScan_ImgTag++;
+      $ImgTagSource{$1}++;
    } elsif ($ThisLine =~ m/Logged to MailWatch SQL/) {
       $MailWatchSQL++;
    } elsif ($ThisLine =~ m/Quarantining modified message for .+/) {
@@ -233,7 +267,7 @@
 if (keys %MailScan_Spam_Act) {
    foreach $ThisOne (sort keys %MailScan_Spam_Act) {
       if ($MailScan_Spam_Act{$ThisOne} > 0) {
-          print "\n\t" . $MailScan_Spam_Act{$ThisOne} . ' Spam messages with action(s) ' .$ThisOne ;
+          print "\n\t\t" . $MailScan_Spam_Act{$ThisOne} . ' Spam messages with action(s) ' .$ThisOne ;
       }
    }
 }
@@ -361,7 +395,7 @@
 }
 
 if (keys %FilenameAllow) {
-   print "\nAllowed Filename Report: (Total Seen = $MailScan_FileAllow)\n";
+   print "\nAllowed Filename Report: (Total Seen = $MailScan_FilenameAllow)\n";
    if ($Detail >= 10) {
       foreach $ThisOne (sort keys %FilenameAllow) {
          print '    ' . $ThisOne . ': ' . $FilenameAllow{$ThisOne} . " Time(s)\n";
@@ -372,12 +406,30 @@
 }
 
 if (keys %FilenameType) {
-   print "\nBanned Filename Report: (Total Seen = $MailScan_Other)\n";
+   print "\nBanned Filename Report: (Total Seen = $MailScan_FilenameBanned)\n";
    foreach $ThisOne (sort keys %FilenameType) {
       print '    ' . $ThisOne . ': ' . $FilenameType{$ThisOne} . " Time(s)\n";
    }
 }
 
+if (keys %FiletypeAllow) {
+   print "\nAllowed Filetype Report: (Total Seen = $MailScan_FiletypeAllow)\n";
+   if ($Detail >= 10) {
+      foreach $ThisOne (sort keys %FiletypeAllow) {
+         print '    ' . $ThisOne . ': ' . $FiletypeAllow{$ThisOne} . " Time(s)\n";
+      }
+   } else {
+      print '    ' . "Details Suppressed at level $Detail. Level 10 required.\n";
+   }
+}
+
+if (keys %FiletypeType) {
+   print "\nBanned Filetype Report: (Total Seen = $MailScan_FiletypeBanned)\n";
+   foreach $ThisOne (sort keys %FiletypeType) {
+      print '    ' . $ThisOne . ': ' . $FiletypeType{$ThisOne} . " Time(s)\n";
+   }
+}
+
 if (keys %PhishingSource) {
    print "\nPhishing Report: (Total Seen = $MailScan_Phishing)\n";
    foreach $ThisOne (sort keys %PhishingSource) {
@@ -417,6 +469,12 @@
    }
 }
 
+if (keys %ImgTagSource) {
+   print "\nHTML <IMG> tag report: (Total Seen = $MailScan_ImgTag)\n";
+   foreach $ThisOne (sort keys %ImgTagSource) {
+      print '    ' . $ThisOne . ': ' . $ImgTagSource{$ThisOne} . " Time(s)\n";
+   }
+}
 if (keys %OtherList) {
    print "\n**Unmatched Entries**\n";
    foreach $line (sort {$OtherList{$b}<=>$OtherList{$a} } keys %OtherList) {


More information about the Logwatch-Devel mailing list