Patrik Wallstrom
2004-Oct-02 09:15 UTC
[Logcheck-devel] Bug#274497: Add blocked messages to violations.ignore.d/logcheck-postfix
Package: logcheck
Version: 1.2.28
Severity: wishlist
Tags: patch
In the lines of this:
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: NOQUEUE:
reject: RCPT from [^[:space:]]+: [0-9]{3} <[^[:space:]]+>: Blocked -
see <[^[:space:]]+>; from=<[^[:space:]]*> to=<[^[:space:]]+>
proto=(ESMTP|SMTP) helo=<[^[:space:]]+>$
When using RBL:s in Postfix, this is a common error message.
Example:
Oct 2 09:06:29 vic20 postfix/smtpd[7194]: NOQUEUE: reject: RCPT from
unknown[203.236.46.238]: 554 Service unavailable; Client host
[203.236.46.238]
blocked using cbl.abuseat.org; Blocked - see
http://cbl.abuseat.org/lookup.cgi?ip=203.236.46.238;
from=<Terrell at incamail.com>to=<marlene at blipp.com> proto=SMTP
helo=<217.75.101.38>
I don't know if my regex is 100% correct though.
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (990, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.5
Locale: LANG=C, LC_CTYPE=sv_SE
Versions of packages logcheck depends on:
ii adduser 3.59 Add and remove users and groups
ii cron 3.0pl1-86 management of regular background p
ii debconf [debconf 1.4.38 Debian configuration management sy
ii debianutils 2.10.2 Miscellaneous utilities specific t
ii lockfile-progs 0.1.10 Programs for locking and unlocking
ii logcheck-databas 1.2.28 A database of system log rules for
ii logtail 1.2.28 Print log file lines that have not
ii mailx 1:8.1.2-0.20040524cvs-1 A simple mail user agent
ii perl 5.8.4-2.3 Larry Wall's Practical
Extraction
ii postfix [mail-tr 2.1.4-5 A high-performance mail transport
ii sysklogd [system 1.4.1-15 System Logging Daemon
-- debconf information:
logcheck/changes:
* logcheck/install-note:
maks attems
2004-Oct-02 12:13 UTC
Bug#274497: [Logcheck-devel] Bug#274497: Add blocked messages to violations.ignore.d/logcheck-postfix
tags moreinfo thanks On Sat, 02 Oct 2004, Patrik Wallstrom wrote:> In the lines of this: > > ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: NOQUEUE: > reject: RCPT from [^[:space:]]+: [0-9]{3} <[^[:space:]]+>: Blocked - > see <[^[:space:]]+>; from=<[^[:space:]]*> to=<[^[:space:]]+> > proto=(ESMTP|SMTP) helo=<[^[:space:]]+>$ > > When using RBL:s in Postfix, this is a common error message. > > Example: > > Oct 2 09:06:29 vic20 postfix/smtpd[7194]: NOQUEUE: reject: RCPT from > unknown[203.236.46.238]: 554 Service unavailable; Client host > [203.236.46.238] > blocked using cbl.abuseat.org; Blocked - see > http://cbl.abuseat.org/lookup.cgi?ip=203.236.46.238; > from=<Terrell at incamail.com>to=<marlene at blipp.com> proto=SMTP > helo=<217.75.101.38> > > I don't know if my regex is 100% correct though.well not so bad for a huge logline, but * hostnames are matched with [._[:alnum:]-]+ * ipv4 with [0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3} * emails are remote supplied strings so use '.*' and aboves regex can't match do other small errors. i've crafted belows out of your message, i'm quite shure that it is far too generic, as it will only math the "Service unavailable loglines i was surprised that the string "from=<Terrell at incamail.com>to=<marlene at blipp.com>" but i didn't have more loglines to match with. please test this rule by copying attached file in dir /etc/logcheck/violations.ignore.d and report the messages you are still getting when using rbl's other tested rules are of course warmly welcomed. :) -- maks -------------- next part -------------- ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: NOQUEUE: reject: RCPT from [._[:alnum:]-]+\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\]: [0-9]{3} Service unavailable; Client host +\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\] blocked using [._[:alnum:]-]+; Blocked - see [^[:space:]]+; from=<.*>to=<.*> proto=(ESMTP|SMTP) helo=<[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}>$
Debian Bug Tracking System
2004-Dec-05 11:48 UTC
[Logcheck-devel] Bug#274497: marked as done (Add blocked messages to violations.ignore.d/logcheck-postfix)
Your message dated Sun, 5 Dec 2004 12:44:55 +0100 with message-id <20041205114455.GD2529 at stro.at> and subject line [Logcheck-devel] Bug#274497: Add blocked messages to violations.ignore.d/logcheck-postfix has caused the attached Bug report to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database) -------------------------------------- Received: (at submit) by bugs.debian.org; 2 Oct 2004 09:15:49 +0000>From submit at bugs.debian.org Sat Oct 02 02:15:49 2004Return-path: <submit at bugs.debian.org> Received: from vic20.blipp.com [217.75.101.38] by spohr.debian.org with esmtp (Exim 3.35 1 (Debian)) id 1CDfzY-0005XM-00; Sat, 02 Oct 2004 02:15:49 -0700 Received: from localhost (localhost [127.0.0.1]) by vic20.blipp.com (Postfix) with ESMTP id 758B1EF5FD; Sat, 2 Oct 2004 11:15:47 +0200 (CEST) Received: from vic20.blipp.com ([127.0.0.1]) by localhost (vic20 [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 09732-05; Sat, 2 Oct 2004 11:15:47 +0200 (CEST) Received: by vic20.blipp.com (Postfix, from userid 1000) id 5D11CEF602; Sat, 2 Oct 2004 11:15:47 +0200 (CEST) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: Patrik Wallstrom <pawal at blipp.com> To: Debian Bug Tracking System <submit at bugs.debian.org> Subject: Add blocked messages to violations.ignore.d/logcheck-postfix X-Mailer: reportbug 2.99.4 Date: Sat, 02 Oct 2004 11:15:47 +0200 Message-Id: <20041002091547.5D11CEF602 at vic20.blipp.com> X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at vic20.blipp.com Delivered-To: submit at bugs.debian.org X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Status: No, hits=-5.3 required=4.0 tests=BAYES_00,HAS_PACKAGE, SUBJ_HAS_UNIQ_ID autolearn=no version=2.60-bugs.debian.org_2004_03_25 X-Spam-Level: Package: logcheck Version: 1.2.28 Severity: wishlist Tags: patch In the lines of this: ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: NOQUEUE: reject: RCPT from [^[:space:]]+: [0-9]{3} <[^[:space:]]+>: Blocked - see <[^[:space:]]+>; from=<[^[:space:]]*> to=<[^[:space:]]+> proto=(ESMTP|SMTP) helo=<[^[:space:]]+>$ When using RBL:s in Postfix, this is a common error message. Example: Oct 2 09:06:29 vic20 postfix/smtpd[7194]: NOQUEUE: reject: RCPT from unknown[203.236.46.238]: 554 Service unavailable; Client host [203.236.46.238] blocked using cbl.abuseat.org; Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=203.236.46.238; from=<Terrell at incamail.com>to=<marlene at blipp.com> proto=SMTP helo=<217.75.101.38> I don't know if my regex is 100% correct though. -- System Information: Debian Release: 3.1 APT prefers unstable APT policy: (990, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.6.5 Locale: LANG=C, LC_CTYPE=sv_SE Versions of packages logcheck depends on: ii adduser 3.59 Add and remove users and groups ii cron 3.0pl1-86 management of regular background p ii debconf [debconf 1.4.38 Debian configuration management sy ii debianutils 2.10.2 Miscellaneous utilities specific t ii lockfile-progs 0.1.10 Programs for locking and unlocking ii logcheck-databas 1.2.28 A database of system log rules for ii logtail 1.2.28 Print log file lines that have not ii mailx 1:8.1.2-0.20040524cvs-1 A simple mail user agent ii perl 5.8.4-2.3 Larry Wall's Practical Extraction ii postfix [mail-tr 2.1.4-5 A high-performance mail transport ii sysklogd [system 1.4.1-15 System Logging Daemon -- debconf information: logcheck/changes: * logcheck/install-note: --------------------------------------- Received: (at 274497-close) by bugs.debian.org; 5 Dec 2004 11:44:57 +0000>From max at stro.at Sun Dec 05 03:44:57 2004Return-path: <max at stro.at> Received: from baikonur.stro.at [213.239.196.228] by spohr.debian.org with esmtp (Exim 3.35 1 (Debian)) id 1Cauoz-0004lO-00; Sun, 05 Dec 2004 03:44:57 -0800 Received: from localhost (localhost [127.0.0.1]) by baikonur.stro.at (Postfix) with ESMTP id 6796C5C00A for <274497-close at bugs.debian.org>; Sun, 5 Dec 2004 12:44:53 +0100 (CET) Received: from baikonur.stro.at ([127.0.0.1]) by localhost (baikonur [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 08300-05 for <274497-close at bugs.debian.org>; Sun, 5 Dec 2004 12:44:53 +0100 (CET) Received: from sputnik (stallburg.stro.at [128.131.216.190]) by baikonur.stro.at (Postfix) with ESMTP id E6D4C5C007 for <274497-close at bugs.debian.org>; Sun, 5 Dec 2004 12:44:52 +0100 (CET) Received: from max by sputnik with local (Exim 4.34) id 1Cauox-0003K5-A6 for 274497-close at bugs.debian.org; Sun, 05 Dec 2004 12:44:55 +0100 Date: Sun, 5 Dec 2004 12:44:55 +0100 From: maks attems <debian at sternwelten.at> To: 274497-close at bugs.debian.org Subject: Re: [Logcheck-devel] Bug#274497: Add blocked messages to violations.ignore.d/logcheck-postfix Message-ID: <20041205114455.GD2529 at stro.at> References: <20041002091547.5D11CEF602 at vic20.blipp.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20041002091547.5D11CEF602 at vic20.blipp.com> User-Agent: Mutt/1.5.6+20040722i Sender: maximilian attems <max at stro.at> X-Virus-Scanned: by Amavis (ClamAV) at stro.at Delivered-To: 274497-close at bugs.debian.org X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Status: No, hits=-3.3 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER, SUBJ_HAS_UNIQ_ID autolearn=no version=2.60-bugs.debian.org_2004_03_25 X-Spam-Level: sorry i must close your bug report, as you didn't provide any feedback to the followup questions. feel free to reopen it with the relevant info. you'll see the thread at: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=274497