feature request

Julian Field mailscanner at ecs.soton.ac.uk
Tue Sep 2 19:34:01 IST 2003 

At 17:02 02/09/2003, you wrote:
>Sep  2 15:36:24 xxxxxx MailScanner[10247]: Virus and Content Scanning:
>Starting
>******** Sep  2 15:36:25 xxxxxxMailScanner[10247]:
>/var/spool/MailScanner/incoming/10247/./h82EZlKq015377/thank_you.pif:
>Worm.Sobig.F FOUND

That bit of code is the virus scanner output parser. It knows nothing about
individual messages at all, so it can't log the client IP. Sorry.

>Sep  2 15:36:25 xxxxxx MailScanner[10247]: Virus Scanning: ClamAV found 1
>infections
>Sep  2 15:36:25 xxxxxx MailScanner[10247]: Virus Scanning: Found 1 viruses
>Sep  2 15:36:25 xxxxxx MailScanner[10247]: Filename Checks: Possible
>MS-Dos program shortcut attack (thank_you.pif)
>Sep  2 15:36:25 xxxxxx MailScanner[10247]: Filetype Checks: No executables
>(thank_you.pif)
>Sep  2 15:36:25 xxxxxx MailScanner[10247]: Other Checks: Found 2 problems
>
>Ideally I would like  the IP address in the line marked with *s (apologies
>for the line wrap (if indeed it does!)
>
>David While
>
>         -----Original Message-----
>         From: Julian Field [mailto:mailscanner at ECS.SOTON.AC.UK]
>         Sent: Tue 02/09/2003 15:27
>         To: MAILSCANNER at JISCMAIL.AC.UK
>         Cc:
>         Subject: Re: feature request
>
>
>
>         At 13:36 02/09/2003, you wrote:
>         >What is the possibility of including the sending IP address in
> the virus
>         >lines in the log file entries?
>
>         Please can you give me an example of what log entries you mean.
>
>
>         >With the recent Sobig.F outbreak it would seem sensible to be
> able to do
>         >some automatic processing on the log files to determine the IP
> addresses
>         >that are sending them. My quick analysis of my log file shows
> that it is a
>         >few addresses sending large numbers to me.
>         >
>         >If this is possible I would then be able to add it as a feature to
>         >mailstats.pl to block persistent virus senders for a short
> period of time.
>         >
>         >-----------------------------------------------------------------
>         >David While
>         >Technical Development Manager
>         >Faculty of Computing, Information & English
>         >University of Central England
>         >Tel: 0121 331 6211
>         >-----------------------------------------------------------------
>
>         --
>         Julian Field
>         www.MailScanner.info
>         MailScanner thanks transtec Computers for their support
>

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support

More information about the MailScanner mailing list