Le samedi 19 décembre 2009 à 16:12 +0100, Stevan Bajić a écrit :
> On Sat, 19 Dec 2009 15:55:59 +0100
> Julien Valroff <jul...@kirya.net> wrote:
>
> > Hi Steve,
> >
> > Le samedi 19 décembre 2009 à 15:01 +0100, Stevan Bajić a écrit :
> > > On Sat, 19 Dec 2009 14:07:44 +0100
> > > Julien Valroff <jul...@kirya.net> wrote:
> > >
> > > > Hi,
> > > >
> > > Hallo Julien,
> > >
> > >
> > > > Since commit 70ef9cd17c02081a10971c6f64a2770524c138e2, there is
> a
> > > new
> > > > virus option to tracksources.
> > > >
> > > > When enabled, it causes virus to be notified twice in the logs:
> > > > Dec 19 13:50:48 nix dspam[29400]: virus warning: infected
> message
> > > from 209.85.219.223
> > > > Dec 19 13:50:48 nix dspam[29400]: infected message from
> > > 209.85.219.223
> > > >
> > > > This is confusing for tools like mailgraph which parses the mail
> > > logs to
> > > > gather statistics (in that case, virus would be counted twice).
> > > >
> > > > I would propose to remove the "old" warning:
> > > >
> > > > diff --git a/src/dspam.c b/src/dspam.c
> > > > index 574aa70..74fdae0 100644
> > > > --- a/src/dspam.c
> > > > +++ b/src/dspam.c
> > > > @@ -415,10 +415,6 @@ process_message (
> > > > result = DSR_ISSPAM;
> > > > strcpy(CTX->class, LANG_CLASS_VIRUS);
> > > > internally_canned = 1;
> > > > - if (!dspam_getsource (CTX, ip, sizeof (ip)))
> > > > - {
> > > > - LOG(LOG_WARNING, "virus warning: infected message from
> %s",
> > > ip);
> > > > - }
> > > > }
> > > > }
> > > > #endif
> > > >
> > > How about this?:
> > > diff --git a/src/dspam.c b/src/dspam.c
> > > index 574aa70..c119ee1 100644
> > > --- a/src/dspam.c
> > > +++ b/src/dspam.c
> > > @@ -1,4 +1,4 @@
> > > -/* $Id: dspam.c,v 1.385 2009/12/19 01:02:19 sbajic Exp $ */
> > > +/* $Id: dspam.c,v 1.386 2009/12/19 14:45:19 sbajic Exp $ */
> > >
> > > /*
> > > DSPAM
> > > @@ -415,9 +415,11 @@ process_message (
> > > result = DSR_ISSPAM;
> > > strcpy(CTX->class, LANG_CLASS_VIRUS);
> > > internally_canned = 1;
> > > - if (!dspam_getsource (CTX, ip, sizeof (ip)))
> > > - {
> > > - LOG(LOG_WARNING, "virus warning: infected message from
> %s",
> > > ip);
> > > + if(!_ds_match_attribute(agent_config, "TrackSources",
> "virus"))
> > > {
> > > + if (!dspam_getsource (CTX, ip, sizeof (ip)))
> > > + {
> > > + LOG(LOG_WARNING, "virus warning: infected message from
> %s",
> > > ip);
> > > + }
> > > }
> > > }
> > > }
> >
> > Everything which can avoid double log entries would be fine to me,
> >
> That thing is avoiding the double logging. It restores the old state
> as it used to be before I added the patch. But should some one have
> enabled the tracking of virus infected mails then the old logging
> condition is not executed.
>
>
> > but
> > still, I don't understand why the behaviour should be different for
> > viruses than for spam and nonspam mail.
> >
> Don't ask me. It was done by John around version 3.6 when SoBig.F was
> a huge problem. And since that time this logging condition is there.
> He never logged spam/ham explicitly but when he added the ClamAV
> integration he started to log virus infected mails with the above
> condition.
>
> I think world wide there are just a bunch of people using the tracking
> feature of DSPAM for other things then pure logging. I use it for
> RABL. I know, I know. The project is death and you can't download it
> any more but I have it and I have patched it to integrate well with my
> BIND 9.6.1_p2 that I use in conjunction with DLZ and PostgreSQL 8.4.1.
>
> One of the directives for 3.9.0 is/was not not change to much things
> in the old code base (in terms of removing functions). So I would like
> to keep the above statement to allow people upgrading from 3.6.x/3.8.x
> to see familiar logging as they have seen before (but allow them to
> use an updated tracking sources if they should need it).
>
> For 4.0.0 we can be more restrictive and remove that stuff and say
> that tracking sources is the right way to go should one want to track
> spam/ham/virus/blacklist/blocklist/etc...
>
> What do you say?
I now understand it better.
Actually, I remember I had requested this feature myself in early 2006,
as previously, infected mail were considered as spam mail in the logs.
I had requested to had an option to be added to TrackSources, but it was
implemented after that as it is now.
Then, I do totally agree with your proposal, as long as we keep in mind
that such things should be reviewed for 4.0.0
Cheers,
Julien
------------------------------------------------------------------------------
This SF.Net email is sponsored by the Verizon Developer Community
Take advantage of Verizon's best-in-class app development support
A streamlined, 14 day to market process makes app distribution fast and easy
Join now and get one step closer to millions of Verizon customers
http://p.sf.net/sfu/verizon-dev2dev
_______________________________________________
Dspam-devel mailing list
Dspam-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dspam-devel
