On Sat, 19 Dec 2009 15:55:59 +0100
Julien Valroff <jul...@kirya.net> wrote:
> Hi Steve,
>
> Le samedi 19 décembre 2009 à 15:01 +0100, Stevan Bajić a écrit :
> > On Sat, 19 Dec 2009 14:07:44 +0100
> > Julien Valroff <jul...@kirya.net> wrote:
> >
> > > Hi,
> > >
> > Hallo Julien,
> >
> >
> > > Since commit 70ef9cd17c02081a10971c6f64a2770524c138e2, there is a
> > new
> > > virus option to tracksources.
> > >
> > > When enabled, it causes virus to be notified twice in the logs:
> > > Dec 19 13:50:48 nix dspam[29400]: virus warning: infected message
> > from 209.85.219.223
> > > Dec 19 13:50:48 nix dspam[29400]: infected message from
> > 209.85.219.223
> > >
> > > This is confusing for tools like mailgraph which parses the mail
> > logs to
> > > gather statistics (in that case, virus would be counted twice).
> > >
> > > I would propose to remove the "old" warning:
> > >
> > > diff --git a/src/dspam.c b/src/dspam.c
> > > index 574aa70..74fdae0 100644
> > > --- a/src/dspam.c
> > > +++ b/src/dspam.c
> > > @@ -415,10 +415,6 @@ process_message (
> > > result = DSR_ISSPAM;
> > > strcpy(CTX->class, LANG_CLASS_VIRUS);
> > > internally_canned = 1;
> > > - if (!dspam_getsource (CTX, ip, sizeof (ip)))
> > > - {
> > > - LOG(LOG_WARNING, "virus warning: infected message from %s",
> > ip);
> > > - }
> > > }
> > > }
> > > #endif
> > >
> > How about this?:
> > diff --git a/src/dspam.c b/src/dspam.c
> > index 574aa70..c119ee1 100644
> > --- a/src/dspam.c
> > +++ b/src/dspam.c
> > @@ -1,4 +1,4 @@
> > -/* $Id: dspam.c,v 1.385 2009/12/19 01:02:19 sbajic Exp $ */
> > +/* $Id: dspam.c,v 1.386 2009/12/19 14:45:19 sbajic Exp $ */
> >
> > /*
> > DSPAM
> > @@ -415,9 +415,11 @@ process_message (
> > result = DSR_ISSPAM;
> > strcpy(CTX->class, LANG_CLASS_VIRUS);
> > internally_canned = 1;
> > - if (!dspam_getsource (CTX, ip, sizeof (ip)))
> > - {
> > - LOG(LOG_WARNING, "virus warning: infected message from %s",
> > ip);
> > + if(!_ds_match_attribute(agent_config, "TrackSources", "virus"))
> > {
> > + if (!dspam_getsource (CTX, ip, sizeof (ip)))
> > + {
> > + LOG(LOG_WARNING, "virus warning: infected message from %s",
> > ip);
> > + }
> > }
> > }
> > }
>
> Everything which can avoid double log entries would be fine to me,
>
That thing is avoiding the double logging. It restores the old state as it used
to be before I added the patch. But should some one have enabled the tracking
of virus infected mails then the old logging condition is not executed.
> but
> still, I don't understand why the behaviour should be different for
> viruses than for spam and nonspam mail.
>
Don't ask me. It was done by John around version 3.6 when SoBig.F was a huge
problem. And since that time this logging condition is there. He never logged
spam/ham explicitly but when he added the ClamAV integration he started to log
virus infected mails with the above condition.
I think world wide there are just a bunch of people using the tracking feature
of DSPAM for other things then pure logging. I use it for RABL. I know, I know.
The project is death and you can't download it any more but I have it and I
have patched it to integrate well with my BIND 9.6.1_p2 that I use in
conjunction with DLZ and PostgreSQL 8.4.1.
One of the directives for 3.9.0 is/was not not change to much things in the old
code base (in terms of removing functions). So I would like to keep the above
statement to allow people upgrading from 3.6.x/3.8.x to see familiar logging as
they have seen before (but allow them to use an updated tracking sources if
they should need it).
For 4.0.0 we can be more restrictive and remove that stuff and say that
tracking sources is the right way to go should one want to track
spam/ham/virus/blacklist/blocklist/etc...
What do you say?
> Cheers,
> Julien
>
--
Kind Regards from Switzerland,
Stevan Bajić
------------------------------------------------------------------------------
This SF.Net email is sponsored by the Verizon Developer Community
Take advantage of Verizon's best-in-class app development support
A streamlined, 14 day to market process makes app distribution fast and easy
Join now and get one step closer to millions of Verizon customers
http://p.sf.net/sfu/verizon-dev2dev
_______________________________________________
Dspam-devel mailing list
Dspam-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dspam-devel
