Hi,
I have setup logcheck on my Debian system and added the following lines
to filter out the common spamd messages from SpamAssassin:
(Quoted to keep the lines together)
/etc/logcheck/ignore.d.server/spamd
> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]*\]: spamd: connection from
[._[:alnum:]-]+ \[[\.[:digit:]]+\] at port [0-9]+$
> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]*\]: info: setuid to
[[:alnum:]-]+ succeeded$
> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]*\]: spamd:
(checking|processing) message .* for [._[:alnum:]-]+:[0-9]+$
> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]*\]: spamd: clean message
\([0-9.-]+/[0-9.]+\) for [._[:alnum:]-]+:[0-9]+ in [0-9.]+ seconds, [0-9]+
bytes\.$
> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]*\]: spamd: identified spam
\([0-9.-]+/[0-9.]+\) for [._[:alnum:]-]+:[0-9]+ in [0-9.]+ seconds, [0-9]+
bytes\.$
> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]*\]: spamd: result:
.*,user=nobody,
> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]*\]: prefork: child states:
[IBS]+$
> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]*\]: spamd: handled cleanup
of child pid [0-9]+ due to SIGCHLD$
> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]*\]: spamd: server
successfully spawned child process, pid [0-9]+$
/etc/logcheck/violations.ignore.d/logcheck-spamd
> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: Cannot open bayes
databases (/root|/home/[_[:alnum:]-]+)/.spamassassin/bayes_\* R/W: lock failed:
(File exists|Interrupted system call)$
> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: failed sanity check,
[0-9]+ bytes claimed, [0-9-]+ bytes seen$
> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: spamd:
(processing|checking) message <.+> for .+:[0-9]+\.?$
> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]*\]: spamd: result:
.*,user=nobody,
Now I keep getting reports with lines like these:
> Dec 22 03:11:16 mond spamd[26994]: spamd: result: Y 21 -
BAYES_99,BOTNET,DATE_IN_PAST_03_06,RCVD_FORGED_WROTE,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_NJABL_DUL,RCVD_IN_SORBS_DUL,RCVD_IN_XBL
scantime=4.3,size=1877,user=nobody,uid=0,required_score=5.0,rhost=mond,raddr=127.0.0.1,rport=32924,mid=<01c7256e$733bd600$6c822ecf@lazilyattackers>,bayes=1,autolearn=spam
> Dec 12 03:05:28 mond spamd[4736]: spamd: result: . 0 -
AWL,BAYES_00,HTML_90_100,HTML_MESSAGE,HTML_TITLE_EMPTY,MIME_BASE64_NO_NAME,MIME_BASE64_TEXT
scantime=4.5,size=56886,user=nobody,uid=0,required_score=5.0,rhost=mond,raddr=127.0.0.1,rport=47854,mid=<20061212020506.7BFA11E4320@www.scooter-attack.com>,bayes=1.21014309684142e-14,autolearn=no
> Dec 8 02:09:55 mond spamd[12414]: spamd: result: Y 18 -
BAYES_99,RCVD_IN_DSBL,RCVD_IN_NJABL_DUL,RCVD_IN_SORBS_DUL,SARE_MLB_Stock1,SARE_MLB_Stock4,SARE_PROLOSTOCK_SYM1,STOCK_NAME_FVGT1
scantime=2.4,size=1994,user=nobody,uid=0,required_score=5.0,rhost=mond,raddr=127.0.0.1,rport=46164,mid=<01c71a65$90b50530$6c822ecf@Gothicscounterattacks>,bayes=1,autolearn=spam
I understand that they contain keywords like "attack" or
"failed" and
are considered as a security issue, but they're not. Why don't the rules
filter these lines out? It works with other things, but not with these.
--
Yves Goergen "LonelyPixel" <nospam.list@unclassified.de>
Visit my web laboratory at http://beta.unclassified.de