Douglas F. Calvert
2005-Apr-04 22:34 UTC
[Logcheck-devel] Bug#303128: logcheck-database: rules for amavis / courier imapd / spamd
Package: logcheck-database Version: 1.2.37 Severity: normal Hello, Thank you for adding rules for procmail/postfix. I am still seeing a number of messages that I do not wish to see and I can not figure out the appropriate regexp. The relvant lines are included below... courier-imap: Apr 4 07:11:02 terminus imaplogin: LOGOUT, user=user, ip=[::ffff:69.56.216.138], headers=0, body=0, time=20 amavis: Apr 4 07:11:55 terminus amavis[6620]: (06620-03-4) Passed, <kjalj3lad at yahoo.com> -> <doug at localhost>, Message-ID: <UXSGTOABBRKUCVSYGYSXW at hotmail.com>, Hits: - Apr 4 07:11:55 terminus amavis[6620]: (06620-03-5) Passed, <jasfdah at howisonmarine.com> -> <WISE_STEPHEN_D at LILLY.COM>,<rfdtxch at localhost>, Message-ID: <425123D8.9060709 at howisonmarine.com>, Hits: - spamd (these are reported as security events at the server report level): Apr 4 07:07:08 terminus spamd[22281]: result: Y 42 - AWL,BAYES_99,DNS_FROM_RFC_POST,DNS_FROM_RFC_WHOIS,DOMAIN_RATIO,HEAD_ILLEGAL_CHARS,HTML_90_100,HTML_IMAGE_ONLY_16,HTML_MESSAGE,HTTP_ESCAPED_HOST,HTTP_EXCESSIVE_ESCAPES,MIME_BOUND_DD_DIGITS,MIME_HTML_ONLY,MIME_HTML_ONLY_MULTI,MIME_QP_LONG_LINE,MISSING_MIMEOLE,MPART_ALT_DIFF,MSGID_SPAM_CAPS,MSGID_YAHOO_CAPS,RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,RCVD_NUMERIC_HELO,SUBJ_ILLEGAL_CHARS,URIBL_AB_SURBL,URIBL_OB_SURBL,URIBL_SC_SURBL,URIBL_WS_SURBL scantime=11.6,size=2862,mid=<TFJTTROCINKDGKEOJUTOTFS at yahoo.com>,bayes=1,autolearn=spam Apr 4 07:07:09 terminus spamd[21539]: result: Y 43 - AWL,BAYES_99,DNS_FROM_RFC_POST,DNS_FROM_RFC_WHOIS,DOMAIN_RATIO,HEAD_ILLEGAL_CHARS,HTML_90_100,HTML_IMAGE_ONLY_16,HTML_MESSAGE,HTTP_ESCAPED_HOST,HTTP_EXCESSIVE_ESCAPES,MIME_BOUND_DD_DIGITS,MIME_HTML_ONLY,MIME_HTML_ONLY_MULTI,MIME_QP_LONG_LINE,MISSING_MIMEOLE,MPART_ALT_DIFF,MSGID_SPAM_CAPS,MSGID_YAHOO_CAPS,RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,RCVD_NUMERIC_HELO,SUBJ_ILLEGAL_CHARS,URIBL_AB_SURBL,URIBL_OB_SURBL,URIBL_SC_SURBL,URIBL_WS_SURBL scantime=12.4,size=2860,mid=<TFJTTROCINKDGKEOJUTOTFS at yahoo.com>,bayes=1,autolearn=spam spamd (these are not security events): Apr 4 08:00:25 terminus spamd[27462]: server hit by SIGCHLD Apr 4 08:00:25 terminus spamd[27462]: handled cleanup of child pid 22281 Apr 4 08:00:25 terminus spamd[27462]: server successfully spawned child process, pid 9148 -- System Information: Debian Release: 3.1 APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.6.11-exec-shield Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Versions of packages logcheck-database depends on: ii debconf [debconf-2.0] 1.4.47 Debian configuration management sy -- debconf information: logcheck-database/rules-directories-note: logcheck-database/standard-rename-note: logcheck-database/conffile-cleanup: false
Jamie L. Penman-Smithson
2005-Apr-07 15:39 UTC
[Logcheck-devel] Bug#303128: logcheck-database: rules for amavis / courier imapd / spamd
package logcheck-database tags 303128 moreinfo thanks On Mon, 2005-04-04 at 18:34 -0400, Douglas F. Calvert wrote:> Thank you for adding rules for procmail/postfix. I am still seeing a number of messages that I do not wish to see and I can not figure out the appropriate regexp. > The relvant lines are included below... > > courier-imap: > Apr 4 07:11:02 terminus imaplogin: LOGOUT, user=user, ip=[::ffff:69.56.216.138], headers=0, body=0, time=20Firstly, courier-imap rules are provided in the courier-imap package, any bugs reports regarding these rules should filed against the courier-imap package. Secondly, the rule in ignore.d.server/courier-imap matches the log message above, so you shouldn't be seeing these messages: ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ imaplogin: LOGOUT, user=[-_.@[:alnum:]]+, ip=\[[.:[:alnum:]]+\], headers=[0-9]+, body=[0-9]+, time=[0-9]+$ Can you check that you have ignore.d.server/courier-imap and that it contains this rule?> amavis: > Apr 4 07:11:55 terminus amavis[6620]: (06620-03-4) Passed, <kjalj3lad at yahoo.com> -> <doug at localhost>, Message-ID: <UXSGTOABBRKUCVSYGYSXW at hotmail.com>, Hits: - > Apr 4 07:11:55 terminus amavis[6620]: (06620-03-5) Passed, <jasfdah at howisonmarine.com> -> <WISE_STEPHEN_D at LILLY.COM>,<rfdtxch at localhost>, Message-ID: <425123D8.9060709 at howisonmarine.com>, Hits: -Again, rules for amavisd-new are provided in the amavisd-new package and the rules match these messages..> spamd (these are reported as security events at the server report level): > Apr 4 07:07:08 terminus spamd[22281]: result: Y 42 - AWL,BAYES_99,DNS_FROM_RFC_POST,DNS_FROM_RFC_WHOIS,DOMAIN_RATIO,HEAD_ILLEGAL_CHARS,HTML_90_100,HTML_IMAGE_ONLY_16,HTML_MESSAGE,HTTP_ESCAPED_HOST,HTTP_EXCESSIVE_ESCAPES,MIME_BOUND_DD_DIGITS,MIME_HTML_ONLY,MIME_HTML_ONLY_MULTI,MIME_QP_LONG_LINE,MISSING_MIMEOLE,MPART_ALT_DIFF,MSGID_SPAM_CAPS,MSGID_YAHOO_CAPS,RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,RCVD_NUMERIC_HELO,SUBJ_ILLEGAL_CHARS,URIBL_AB_SURBL,URIBL_OB_SURBL,URIBL_SC_SURBL,URIBL_WS_SURBL scantime=11.6,size=2862,mid=<TFJTTROCINKDGKEOJUTOTFS at yahoo.com>,bayes=1,autolearn=spam > Apr 4 07:07:09 terminus spamd[21539]: result: Y 43 - AWL,BAYES_99,DNS_FROM_RFC_POST,DNS_FROM_RFC_WHOIS,DOMAIN_RATIO,HEAD_ILLEGAL_CHARS,HTML_90_100,HTML_IMAGE_ONLY_16,HTML_MESSAGE,HTTP_ESCAPED_HOST,HTTP_EXCESSIVE_ESCAPES,MIME_BOUND_DD_DIGITS,MIME_HTML_ONLY,MIME_HTML_ONLY_MULTI,MIME_QP_LONG_LINE,MISSING_MIMEOLE,MPART_ALT_DIFF,MSGID_SPAM_CAPS,MSGID_YAHOO_CAPS,RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,RCVD_NUMERIC_HELO,SUBJ_ILLEGAL_CHARS,URIBL_AB_SURBL,URIBL_OB_SURBL,URIBL_SC_SURBL,URIBL_WS_SURBL scantime=12.4,size=2860,mid=<TFJTTROCINKDGKEOJUTOTFS at yahoo.com>,bayes=1,autolearn=spamDitto. The file violations.ignore.d/spamassassin is provided by the spamassassin package and includes a rule to ignore these messages. Check that these files exist and that their permissions are such that logcheck can read them.> spamd (these are not security events): > > Apr 4 08:00:25 terminus spamd[27462]: server hit by SIGCHLD > Apr 4 08:00:25 terminus spamd[27462]: handled cleanup of child pid 22281 > Apr 4 08:00:25 terminus spamd[27462]: server successfully spawned child process, pid 9148These look like startup/shutdown messages which we want to report, since it could mean a security problem of some kind. If you find it really annoying you can put some rules to ignore those messages in a local-foo file in ignore.d.server/ (it won't get overwritten during a package upgrade, either). -j -- -jamie <jamie at silverdream.org> | spamtrap: spam at silverdream.org w: http://www.silverdream.org | p: sms at silverdream.org pgp key @ http://silverdream.org/~jps/pub.key 21:30:02 up 17 min, 2 users, load average: 2.65, 2.52, 1.58 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20050407/0f474cc4/attachment.pgp
Debian Bug Tracking System
2005-Apr-07 15:48 UTC
[Logcheck-devel] Processed: Re: logcheck-database: rules for amavis / courier imapd / spamd
Processing commands for control at bugs.debian.org:> package logcheck-databaseIgnoring bugs not assigned to: logcheck-database> tags 303128 moreinfoBug#303128: logcheck-database: rules for amavis / courier imapd / spamd There were no tags set. Tags added: moreinfo> thanksStopping processing here. Please contact me if you need assistance. Debian bug tracking system administrator (administrator, Debian Bugs database)
Debian Bug Tracking System
2005-Apr-15 10:18 UTC
[Logcheck-devel] Bug#303128: marked as done (logcheck-database: rules for amavis / courier imapd / spamd)
Your message dated Fri, 15 Apr 2005 11:07:29 +0100 with message-id <1113559649.19153.11.camel at localhost> and subject line Bug#303128: logcheck-database: my apologies has caused the attached Bug report to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database) -------------------------------------- Received: (at submit) by bugs.debian.org; 4 Apr 2005 22:34:30 +0000>From dfc at anize.org Mon Apr 04 15:34:28 2005Return-path: <dfc at anize.org> Received: from terminus.anize.org [69.56.216.138] by spohr.debian.org with esmtp (Exim 3.35 1 (Debian)) id 1DIa9M-0002eH-00; Mon, 04 Apr 2005 15:34:28 -0700 Received: from localhost (localhost [127.0.0.1]) by terminus.anize.org (Postfix) with ESMTP id 39E8BB3BB4; Mon, 4 Apr 2005 18:34:03 -0400 (EDT) Received: from terminus.anize.org ([127.0.0.1]) by localhost (terminus [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 03362-01-2; Mon, 4 Apr 2005 18:34:03 -0400 (EDT) Received: by terminus.anize.org (Postfix, from userid 1002) id 16258B3BC2; Mon, 4 Apr 2005 18:34:03 -0400 (EDT) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: "Douglas F. Calvert" <dfc at anize.org> To: Debian Bug Tracking System <submit at bugs.debian.org> Subject: logcheck-database: rules for amavis / courier imapd / spamd X-Mailer: reportbug 3.9 Date: Mon, 04 Apr 2005 18:34:03 -0400 Message-Id: <20050404223403.16258B3BC2 at terminus.anize.org> X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at anize.org Delivered-To: submit at bugs.debian.org X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Status: No, hits=-6.4 required=4.0 tests=BAYES_00,HAS_PACKAGE, UPPERCASE_25_50 autolearn=no version=2.60-bugs.debian.org_2005_01_02 X-Spam-Level: Package: logcheck-database Version: 1.2.37 Severity: normal Hello, Thank you for adding rules for procmail/postfix. I am still seeing a number of messages that I do not wish to see and I can not figure out the appropriate regexp. The relvant lines are included below... courier-imap: Apr 4 07:11:02 terminus imaplogin: LOGOUT, user=user, ip=[::ffff:69.56.216.138], headers=0, body=0, time=20 amavis: Apr 4 07:11:55 terminus amavis[6620]: (06620-03-4) Passed, <kjalj3lad at yahoo.com> -> <doug at localhost>, Message-ID: <UXSGTOABBRKUCVSYGYSXW at hotmail.com>, Hits: - Apr 4 07:11:55 terminus amavis[6620]: (06620-03-5) Passed, <jasfdah at howisonmarine.com> -> <WISE_STEPHEN_D at LILLY.COM>,<rfdtxch at localhost>, Message-ID: <425123D8.9060709 at howisonmarine.com>, Hits: - spamd (these are reported as security events at the server report level): Apr 4 07:07:08 terminus spamd[22281]: result: Y 42 - AWL,BAYES_99,DNS_FROM_RFC_POST,DNS_FROM_RFC_WHOIS,DOMAIN_RATIO,HEAD_ILLEGAL_CHARS,HTML_90_100,HTML_IMAGE_ONLY_16,HTML_MESSAGE,HTTP_ESCAPED_HOST,HTTP_EXCESSIVE_ESCAPES,MIME_BOUND_DD_DIGITS,MIME_HTML_ONLY,MIME_HTML_ONLY_MULTI,MIME_QP_LONG_LINE,MISSING_MIMEOLE,MPART_ALT_DIFF,MSGID_SPAM_CAPS,MSGID_YAHOO_CAPS,RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,RCVD_NUMERIC_HELO,SUBJ_ILLEGAL_CHARS,URIBL_AB_SURBL,URIBL_OB_SURBL,URIBL_SC_SURBL,URIBL_WS_SURBL scantime=11.6,size=2862,mid=<TFJTTROCINKDGKEOJUTOTFS at yahoo.com>,bayes=1,autolearn=spam Apr 4 07:07:09 terminus spamd[21539]: result: Y 43 - AWL,BAYES_99,DNS_FROM_RFC_POST,DNS_FROM_RFC_WHOIS,DOMAIN_RATIO,HEAD_ILLEGAL_CHARS,HTML_90_100,HTML_IMAGE_ONLY_16,HTML_MESSAGE,HTTP_ESCAPED_HOST,HTTP_EXCESSIVE_ESCAPES,MIME_BOUND_DD_DIGITS,MIME_HTML_ONLY,MIME_HTML_ONLY_MULTI,MIME_QP_LONG_LINE,MISSING_MIMEOLE,MPART_ALT_DIFF,MSGID_SPAM_CAPS,MSGID_YAHOO_CAPS,RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,RCVD_NUMERIC_HELO,SUBJ_ILLEGAL_CHARS,URIBL_AB_SURBL,URIBL_OB_SURBL,URIBL_SC_SURBL,URIBL_WS_SURBL scantime=12.4,size=2860,mid=<TFJTTROCINKDGKEOJUTOTFS at yahoo.com>,bayes=1,autolearn=spam spamd (these are not security events): Apr 4 08:00:25 terminus spamd[27462]: server hit by SIGCHLD Apr 4 08:00:25 terminus spamd[27462]: handled cleanup of child pid 22281 Apr 4 08:00:25 terminus spamd[27462]: server successfully spawned child process, pid 9148 -- System Information: Debian Release: 3.1 APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.6.11-exec-shield Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Versions of packages logcheck-database depends on: ii debconf [debconf-2.0] 1.4.47 Debian configuration management sy -- debconf information: logcheck-database/rules-directories-note: logcheck-database/standard-rename-note: logcheck-database/conffile-cleanup: false --------------------------------------- Received: (at 303128-done) by bugs.debian.org; 15 Apr 2005 10:07:48 +0000>From jamie at silverdream.org Fri Apr 15 03:07:48 2005Return-path: <jamie at silverdream.org> Received: from smtp.pinklemon.net [82.133.58.135] by spohr.debian.org with esmtp (Exim 3.35 1 (Debian)) id 1DMNjo-000391-00; Fri, 15 Apr 2005 03:07:48 -0700 Received: from localhost (lorien.silverdream.org [82.133.58.131]) by smtp.pinklemon.net (Postfix) with ESMTP id 48D4278D; Fri, 15 Apr 2005 11:07:47 +0100 (BST) Received: from smtp.pinklemon.net ([82.133.58.133]) by localhost (lorien.silverdream.org [82.133.58.131]) (amavisd-new, port 10024) with LMTP id 03758-04; Fri, 15 Apr 2005 11:07:42 +0100 (BST) Received: from [192.168.100.200] (pegasus.pinklemon.net [82.133.58.129]) (using SSLv3 with cipher RC4-MD5 (128/128 bits)) (Client did not present a certificate) by smtp.pinklemon.net (Postfix) with ESMTP id 6CAE1300; Fri, 15 Apr 2005 11:07:42 +0100 (BST) Subject: Re: Bug#303128: logcheck-database: my apologies From: "Jamie L. Penman-Smithson" <jamie at silverdream.org> Reply-To: jamie at silverdream.org To: "Douglas F. Calvert" <dfc at anize.org> Cc: 303128-done at bugs.debian.org In-Reply-To: <20050407231258.1B7AFB3BE8 at terminus.anize.org> References: <20050407231258.1B7AFB3BE8 at terminus.anize.org> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-+Suq9vmRZfTF5Fo8y27X" Organization: PinkLemon Internet Services Date: Fri, 15 Apr 2005 11:07:29 +0100 Message-Id: <1113559649.19153.11.camel at localhost> Mime-Version: 1.0 X-Mailer: Evolution 2.2.1.1 X-Virus-Scanned: by amavisd-maia-1.0.0-rc5 (Debian) at silverdream.org Delivered-To: 303128-done at bugs.debian.org X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER autolearn=no version=2.60-bugs.debian.org_2005_01_02 X-Spam-Level: --=-+Suq9vmRZfTF5Fo8y27X Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On Thu, 2005-04-07 at 19:12 -0400, Douglas F. Calvert wrote:> For some reason the files provided by amavis and spamassassin are not in my logcheck directory. This is a little off topic but is=20 > there an easy way to restore these files with some apt/dpkg-foo without blowing away my other settings?=20Since there isn't an issue with logcheck, I'm closing this bug. Thanks, --=20 -jamie <jamie at silverdream.org> | spamtrap: spam at silverdream.org w: http://www.silverdream.org | p: sms at silverdream.org pgp key @ http://silverdream.org/~jps/pub.key 21:30:02 up 17 min, 2 users, load average: 2.65, 2.52, 1.58 --=-+Suq9vmRZfTF5Fo8y27X Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) iD8DBQBCX5Jh0mxM1DK1CAsRAjh5AJ9AX4etVK0R6ZovjZLzU29lIt6i7wCfXi74 zJPBKTPBSZDnWszhu+3kzTI=EXnz -----END PGP SIGNATURE----- --=-+Suq9vmRZfTF5Fo8y27X--