I've read the guidelines on submitting updates... and I'm ignoring them.
Feel free to respond by ignoring this message. I don't have time to do it
right, so I figured that sending this message would be at least somewhat better
than not sending it. Apologies in advance.
It turns out that on my machine, amavisd-new doesn't necessarily include a
"Message-ID" field in its log lines. Also, it now appears to place
quarantined messages into subdirectories indexed by a single character.
Accordingly, I added this modification of an existing amavisd rule to my set:
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ amavis\[[[:digit:]]+\]:
\([-[:digit:]]+\) Passed (INFECTED \([-._[:alnum:]]+\)|BAD-HEADER),(
\[(IPv6:)?[[:xdigit:].:]{3,39}\]){1,2} <[^>]*> -> <[^>]*>,(
quarantine: [[:alnum:]]/(virus|badh)-[-+[:alnum:]]+,)?( Message-ID:
<[^>]+>( \((added by[^)]+|sfid-[_[:xdigit:]]+)\))?,)?(
Resent-Message-ID: <[^>]+>,)? mail_id: [-+[:alnum:]]+, Hits:
(-?[.[:digit:]]*)+, size: [[:xdigit:]]+, queued_as: [[:xdigit:]]+( OK
id=[-[:alnum:]]+)?, [[:digit:]]+ ms$
This is observed to match lines such as this:
Jul 9 13:04:00 computer amavis[12388]: (12388-04) Passed BAD-HEADER,
[125.206.180.148] [125.206.180.148] <> -> <anika at example.com>,
quarantine: e/badh-ezZ9dnor96RO, mail_id: ezZ9dnor96RO, Hits: 5.11, size: 3338,
queued_as: BDA623F8006, 1832 ms
Jul 9 13:04:05 computer amavis[12388]: (12388-05) Passed BAD-HEADER,
[114.147.41.68] [114.147.41.68] <> -> <anika at example.com>,
quarantine: X/badh-XZ9Y+RVNX2fU, mail_id: XZ9Y+RVNX2fU, Hits: 5.11, size: 3328,
queued_as: 135383F8006, 912 ms
Jul 9 15:51:56 computer amavis[15778]: (15778-04) Passed BAD-HEADER,
[77.238.177.19] [77.238.177.19] <> -> <anika at example.com>,
quarantine: t/badh-tLMrWbmW9Wcx, mail_id: tLMrWbmW9Wcx, Hits: 0.859, size: 4531,
queued_as: 24D563F8006, 716 ms
... which the existing rule did not.
Hope this is useful, and apologies again for not bothering to submit a git
patch.
John Clements
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4624 bytes
Desc: not available
URL:
<http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20110709/c9235214/attachment.bin>