Jamie L. Penman-Smithson
2006-Feb-12 20:22 UTC
[Logcheck-devel] Bug#336558: logcheck-database: better spamd rules
tags 336558 pending thanks On 11 Nov 2005, at 22:14, Russ Allbery wrote:> Here's some additional information on the spamd rules and a try at > a more > restrictive rule. It's hard to get a good restrictive rule > written, since > on the spam detection rules, spamd puts basically arbitrary > key=value pairs > into the log.<snip>> and the patch is attached.Thanks for the patch, I've gone through all the messages in this bug and come up with some rules which match all of them.. at least until they get changed all over again. The rules for spamd are now: [violations.ignore.d/logcheck-spamd] ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: Cannot open bayes databases /home/[_[:alnum:]-]+/.spamassassin/bayes_\* R/W: lock failed: File exists$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: failed sanity check, [0-9]+ bytes claimed, [0-9-]+ bytes seen$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: (spamd: )? (checking|processing) message <[^[:space:]]+> for [._[:alnum:]-]+: [0-9]+(\.)?$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: (spamd: )?result: (.|Y|N) [ [:digit:]-]+ - [._[:alnum:],]+ scantime=[0-9.]+,size=[0-9]+, (user=[a-z]+,uid=[0-9]+,required_score=[0-9.]+,rhost=[._[:alnum:]-] +,raddr=[0-9.]+,rport=[0-9]+,)?mid=<[^[:space:]]+>,(bayes=(0|1),)? autolearn=(ham|spam|no)$ [ignore.d.server/spamd] ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: (spamd: )? connection from [._[:alnum:]-]+ \[[\.[:digit:]]+\] at port [0-9]+$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: (spamd: )? (info: )?setuid to [[:alnum:]-]+ succeeded$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: (spamd: )?clean message \([0-9.-]+/[0-9.]+\) for [._[:alnum:]-]+:[0-9]+ in [0-9.]+ seconds, [0-9]+ bytes\.$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: (spamd: )? identified spam \([0-9.-]+/[0-9.]+\) for [._[:alnum:]-]+:[0-9]+ in [0-9.]+ seconds, [0-9]+ bytes\.$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: prefork: child states: I+$ The modifications will be included in the next release, which should be within the next 1-2 weeks. Thanks, -- -Jamie L. Penman-Smithson <jamie at silverdream.org> t: +44 1273 424795; f: +44 1273 424795 PGP: C0A7 955E EED6 A309 23D7 863B C76A 26A3 F0DC FCA8 never send mail to: oubliette.z at gmail.com -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 186 bytes Desc: This is a digitally signed message part Url : http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20060212/dcee0012/attachment.pgp
Debian Bug Tracking System
2006-Feb-12 21:48 UTC
[Logcheck-devel] Processed: Re: Bug#336558: logcheck-database: better spamd rules
Processing commands for control at bugs.debian.org:> tags 336558 pendingBug#336558: logcheck: spamd rules in 1.2.42 Tags were: patch Tags added: pending> thanksStopping processing here. Please contact me if you need assistance. Debian bug tracking system administrator (administrator, Debian Bugs database)