CentOS - Feb 2011 - Logwatch reporting spamassassin messages as unmatched entries

I've recently switched to using spamassassin via a sendmail milter,
rather than using procmail to invoke it. This means that I get a number
of messages appearing in my maillog, and then being reported by logwatch
as unmatched entries.

An example of such a messages is:


Feb 27 04:33:09 quail sendmail[24780]: p1R4X46P024780[2]: URIBL blacklist\n\t*  
[URIs: tablettoxicspillsrx.ru]\n\t*  1.5 URIBL_WS_SURBL Contains an URL listed
in the WS SURBL blocklist\n\t*      [URIs: tablettoxicspillsrx.ru]\n\t*  1.5
URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist\n\t*      [URIs:
tablettoxicspillsrx.ru]\n\t*  1.5 URIBL_SBL Contains an URL listed in the SBL
blocklist\n\t*      [URIs: tablettoxicspillsrx.ru]\n\t*  0.3 DRUGS_ERECTILE
Refers to an erectile drug to \n\t*  3.5 BAYES_99 BODY: Bayesian spam
probability is 99 to 100%\n\t*      [score: 1.0000]\n\t*  0.3 DRUG_ED_CAPS BODY:
Mentions an E.D. drug\n\t*  1.6 DRUG_ED_GENERIC BODY: Mentions Generic
Viagra\n\t*  2.0 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in
bl.spamcop.net\n\t*      [Blocked - see
<http://www.spamcop.net/bl.shtml?93.159.243.52>]\n\t*  0.9 RCVD_IN_PBL
RBL: Received via a relay in Spamhaus PBL\n\t*      [93.159.243.52 listed in
zen.spamhaus.org]\n\t*  3.0 RCVD_IN_XBL RBL: Received via a  ...

Is there a "best" approach to dealing with this; for instance stopping
spamassassin reporting these to the maillog, or changing logwatch to
recognise the messages. And how do I change it.

Thanks

Steve

-- 
 
Website:  www.stevesearle.com
Twitter:  @ReddishShift
Facebook: www.facebook.com/steve.searle

 09:11:55 up 6 days, 10:39,  1 user,  load average: 0.08, 0.02, 0.01
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL:
<http://lists.centos.org/pipermail/centos/attachments/20110228/96f0ada5/attachment.sig>

On 28/02/2011, at 10:19 PM, Steve Searle wrote:
> I've recently switched to using spamassassin via a sendmail milter,
> rather than using procmail to invoke it. This means that I get a number
> of messages appearing in my maillog, and then being reported by logwatch
> as unmatched entries.
> 
> An example of such a messages is:
It's being reported by sendmail, not by spamassassin, it seems. Or perhaps
is just passing through to the logs what spamassassin in outputting.

Assumably you're calling out to spamass-milter. Are you passing any debug
(-d) flags?

As to whether to prevent it being logged, or to ignore it in the logs, you would
need to consider whether or not you want it in your logs... it could total to a
fairly large amount and could in itself become a vector for a disk-filling
attack.
> Feb 27 04:33:09 quail sendmail[24780]: p1R4X46P024780[2]: URIBL blacklist
To filter it in logcheck, you could act just on this part
> 
^\w{3} [ :0-9]{11} [,_[:alnum:]-]+ sendmail\[[0-9]+\]: [a-zA-Z0-9]\[[0-9]+\]:
URIBL blacklist

(This has not been tested, the first part comes from a standard Ubuntu install
of logcheck, which is likely to also be the case in CentOS)

Sorry, I can't help you with the sendmail part of it.