Jason,
I have Amavis set up to do A/V scanning as a prequeue filter.
It's configured to DISCARD virus-tagged content.
It works , detecting + discard as intended.
I want to run fail2ban over the logs to identify the IP of the Virus
sender, and set a firewall block for awhile.
But if you look at the log for the amavis rejection message sent to
postfix, it does NOT have the IP address.
Apr 11 04:24:08 mail01 postfix/postscreen[7312]: CONNECT from
[104.44.131.209]:1024 to [192.0.1.17]:25
Apr 11 04:24:14 mail01 postfix/postscreen[7312]: PASS NEW
[104.44.131.209]:1024
Apr 11 04:24:14 mail01 postfix/psint/smtpd[7319]: connect from
ldoquy20.cloudapp.net[104.44.131.209]
Apr 11 04:24:15 mail01 postfix/psint/smtpd[7319]: NOQUEUE:
client=ldoquy20.cloudapp.net[104.44.131.209]
Apr 11 04:24:15 mail01 postfix/amavis/smtpd[7326]: connect from
localhost[127.0.0.1]
Apr 11 04:24:15 mail01 postfix/amavis/smtpd[7326]: 4ql0LCJHvGz3J39:
client=localhost[127.0.0.1]
Apr 11 04:24:15 mail01 postfix/cleanup[7327]: 4ql0LCJHvGz3J39:
message-id=<[email protected]>
Apr 11 04:24:16 mail01 postfix/qmgr[20856]: 4ql0LCJHvGz3J39:
from=<[email protected]>, size=3301, nrcpt=1 (queue
active)
Apr 11 04:24:16 mail01 postfix/psint/smtpd[7319]: proxy-accept:
END-OF-MESSAGE: 250 2.7.0 Ok, discarded, id=06097-01 - INFECTED:
Porcupine.Malware.36603.UNOFFICIAL;
from=<[email protected]> to=<[email protected]>
proto=ESMTP helo=<ldoquy20.cloudapp.net>
Apr 11 04:24:16 mail01 postfix/psint/smtpd[7319]: disconnect from
ldoquy20.cloudapp.net[104.44.131.209] ehlo=1 mail=1 rcpt=1 data=1
quit=1 commands=5
How do I add the virus sender's IP into that " ... INFECTED: ..."
Amavisd message ?
Try:
$smtp_reason_by_ccat{&CC_VIRUS} = 'id=%n, [:ip_trace_public] -
INFECTED: %V';
$smtp_reason_by_ccat{&CC_SPAM} = 'id=%n, [:ip_trace_public] - spam';
or:
$smtp_reason_by_ccat{&CC_VIRUS} = 'id=%n, %a - INFECTED: %V';
$smtp_reason_by_ccat{&CC_SPAM} = 'id=%n, %a - spam';
See README.customize for what macros like %a or ip_trace_public provide.
If you are happy with the result, consider changing the entire
%smtp_reason_by_ccat.
It's default is:
%smtp_reason_by_ccat = (
# currently only used for blocked messages only, status 5xx
# a multiline message will produce a valid multiline SMTP response
CC_VIRUS, 'id=%n - INFECTED: %V',
CC_BANNED, 'id=%n - BANNED: %F',
CC_UNCHECKED.',1', 'id=%n - UNCHECKED: encrypted',
CC_UNCHECKED.',2', 'id=%n - UNCHECKED: over limits',
CC_UNCHECKED, 'id=%n - UNCHECKED',
CC_SPAM, 'id=%n - spam',
CC_SPAMMY.',1', 'id=%n - spammy (tag3)',
CC_SPAMMY, 'id=%n - spammy',
CC_BADH.',1', 'id=%n - BAD HEADER: MIME error',
CC_BADH.',2', 'id=%n - BAD HEADER: nonencoded 8-bit character',
CC_BADH.',3', 'id=%n - BAD HEADER: contains invalid control
character',
CC_BADH.',4', 'id=%n - BAD HEADER: line made up entirely of
whitespace',
CC_BADH.',5', 'id=%n - BAD HEADER: line longer than RFC 5322
limit',
CC_BADH.',6', 'id=%n - BAD HEADER: syntax error',
CC_BADH.',7', 'id=%n - BAD HEADER: missing required header field',
CC_BADH.',8', 'id=%n - BAD HEADER: duplicate header field',
CC_BADH, 'id=%n - BAD HEADER',
CC_OVERSIZED, 'id=%n - Message size exceeds recipient\'s size
limit',
CC_MTA.',1', 'id=%n - Temporary MTA failure on relaying',
CC_MTA.',2', 'id=%n - Rejected by next-hop MTA on relaying',
CC_MTA, 'id=%n - Unable to relay message back to MTA',
CC_CLEAN, 'id=%n - CLEAN',
CC_CATCHALL, 'id=%n - OTHER', # should not happen
);
Mark
