As the latest logwatch did not catch all of my log rules I added some
rules. At least one is rather specific to my setup.
--- services/mailscanner.SHIPPED 2004-06-26 10:15:37.000000000 +0200
+++ services/mailscanner 2004-10-09 12:12:03.000000000 +0200
@@ -9,6 +9,9 @@
#
# Sophos Support and other improvments by Mark W. Nienberg
#
+# Some more clean up rules based on extensive use of some MailScanner
+# settings and F-Prot and ClamAV as dual scanners.
+#
########################################################
while (defined($ThisLine = <STDIN>)) {
@@ -39,6 +42,9 @@
( $ThisLine =~ m/SophosSAVI using [0-9]+ IDE files/ ) or
( $ThisLine =~ m/Sophos SAVI library has been updated/ ) or
( $ThisLine =~ m/Sophos update of .* detected, resetting SAVI/ ) or
+ ( $ThisLine =~ m/RBL checks: .+ found in RFC-IGNORANT-POSTMASTER/ ) or
+ ( $ThisLine =~ m/Message .+ from .+ to .+ is spam/ ) or
+ ( $ThisLine =~ m/F-Prot found .+ infections/ ) or
( $ThisLine =~ m/Content Checks: Detected and will convert HTML/ ) ) {
# We don't care about these
} elsif ( $ThisLine =~ m/New Batch: Scanning ([0-9]+) messages, ([0-9]+)
bytes/i) {
@@ -64,6 +70,12 @@
} elsif ($ThisLine =~ m/^\/var\/spool\/MailScanner\/incoming\/.+:
([\w\_\-\.\/]+) FOUND/i) {
$VirusType_ClamAv{$1}++;
$MailScan_Virus_ClamAv++;
+ } elsif ($ThisLine =~ m/^\/var\/spool\/MailScanner\/incoming\/.+ Infection:
([\w\_\-\.\/]+)/i) {
+ $VirusType_Fprot{$1}++;
+ $MailScan_Virus_Fprot++;
+ } elsif ($ThisLine =~ m/Virus Scanning: F-Prot found virus
([\w\_\-\.\/]+)/i) {
+ $VirusType_FProt{$1}++;
+ $MailScan_Virus_FProt++;
} elsif ($ThisLine =~ m/>>> Virus \'(.+)\' found/) {
$VirusType_Sophos{$1}++;
$MailScan_Virus_Sophos++;
@@ -133,12 +145,19 @@
}
if (keys %VirusType_ClamAv) {
- print "\nVirus Report: (Total Seen = $MailScan_Virus_ClamAv)\n";
+ print "\nClamAV Virus Report: (Total Seen = $MailScan_Virus_ClamAv)\n";
foreach $ThisOne (sort keys %VirusType_ClamAv) {
print ' ' . $ThisOne . ': ' . $VirusType_ClamAv{$ThisOne} . "
Times(s)\n";
}
}
+if (keys %VirusType_FProt) {
+ print "\nF-Prot Virus Report: (Total Seen = $MailScan_Virus_FProt)\n";
+ foreach $ThisOne (sort keys %VirusType_FProt) {
+ print ' ' . $ThisOne . ': ' . $VirusType_FProt{$ThisOne} . "
Times(s)\n";
+ }
+}
+
if (keys %VirusType_Sophos) {
print "\nSophos Virus Report: (Total Seen = $MailScan_Virus_Sophos)\n";
foreach $ThisOne (sort keys %VirusType_Sophos) {
--- services/sendmail.SHIPPED 2004-06-26 10:15:37.000000000 +0200
+++ services/sendmail 2004-10-08 23:22:41.000000000 +0200
@@ -437,6 +437,8 @@
$ReturnReceipt++;
} elsif ($ThisLine=~ /Remote protocol error/) {
$RemoteProtocolError++;
+ } elsif ($ThisLine=~ /ruleset=check_XS4ALL/) {
+ $XS4ALL++;
} elsif (
(($Host,$Attack) = ($ThisLine =~ /POSSIBLE ATTACK from ([^ ]+): (.*)/))
or
(($Host,$Attack) = ($ThisLine =~ /([^ ]+ \[[^ ]+\]): possible SMTP
attack: (.*)$/))
@@ -522,6 +524,10 @@
print "\n\n$ReturnReceipt Return Receipt's";
}
+if($XS4ALL > 0) {
+ print "\n\n$XS4ALL messages discarded from XS4ALL";
+}
+
if ($CantCreateOutput > 0) {
print "\n\nCan't create output $CantCreateOutput Time(s)";
}
--
I hate duplicates. Just reply to the relevant mailinglist.
hvdkooij@xxxxxxxxxxxxxxx http://hvdkooij.xs4all.nl/
Don't meddle in the affairs of magicians,
for they are subtle and quick to anger.
|
