I've read the guidelines on submitting updates... and I'm ignoring them. Feel free to respond by ignoring this message. I don't have time to do it right, so I figured that sending this message would be at least somewhat better than not sending it. Apologies in advance.
It turns out that on my machine, amavisd-new doesn't necessarily include a
"Message-ID" field in its log lines. Also, it now appears to place quarantined
messages into subdirectories indexed by a single character.
Accordingly, I added this modification of an existing amavisd rule to my set:
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ amavis\[[[:digit:]]+\]:
\([-[:digit:]]+\) Passed (INFECTED \([-._[:alnum:]]+\)|BAD-HEADER),(
\[(IPv6:)?[[:xdigit:].:]{3,39}\]){1,2} <[^>]*> -> <[^>]*>,( quarantine:
[[:alnum:]]/(virus|badh)-[-+[:alnum:]]+,)?( Message-ID: <[^>]+>( \((added
by[^)]+|sfid-[_[:xdigit:]]+)\))?,)?( Resent-Message-ID: <[^>]+>,)? mail_id:
[-+[:alnum:]]+, Hits: (-?[.[:digit:]]*)+, size: [[:xdigit:]]+, queued_as:
[[:xdigit:]]+( OK id=[-[:alnum:]]+)?, [[:digit:]]+ ms$
This is observed to match lines such as this:
Jul 9 13:04:00 computer amavis[12388]: (12388-04) Passed BAD-HEADER,
[125.206.180.148] [125.206.180.148] <> -> <[email protected]>, quarantine:
e/badh-ezZ9dnor96RO, mail_id: ezZ9dnor96RO, Hits: 5.11, size: 3338, queued_as:
BDA623F8006, 1832 ms
Jul 9 13:04:05 computer amavis[12388]: (12388-05) Passed BAD-HEADER,
[114.147.41.68] [114.147.41.68] <> -> <[email protected]>, quarantine:
X/badh-XZ9Y+RVNX2fU, mail_id: XZ9Y+RVNX2fU, Hits: 5.11, size: 3328, queued_as:
135383F8006, 912 ms
Jul 9 15:51:56 computer amavis[15778]: (15778-04) Passed BAD-HEADER,
[77.238.177.19] [77.238.177.19] <> -> <[email protected]>, quarantine:
t/badh-tLMrWbmW9Wcx, mail_id: tLMrWbmW9Wcx, Hits: 0.859, size: 4531, queued_as:
24D563F8006, 716 ms
... which the existing rule did not.
Hope this is useful, and apologies again for not bothering to submit a git
patch.
John Clements
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Logcheck-devel mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/logcheck-devel

