SPAMVIRUS Feature Question
Hugo van der Kooij
hvdkooij at vanderkooij.org
Wed Oct 21 06:11:18 IST 2009
On 10/20/09 22:45, Jonas A. Larsen wrote:
> I can only second the wish for a way to have the sigs that hit turn up in
> our stats/mailwatch something that lets us monitor the effectiveness of it.
>
> However since I was an early adopter of the new feature im not sure how it
> would work.
>
> You could do it today by writing a ton of sa rules (1 for each signature)
> but that would be a mess.
>
> An ugly hack fix would be to parse the log files (where message id and sig
> name is parseable, and then make a script that inserted the sig name intro
> the corresponding row in the mailwatch db. But as I said, that would be
> really ugly :)
>
> I'd love to hear other people's take on this, not to mention Julians :)
You mean something like this?
--------------------- MailScanner Begin ------------------------
MailScanner Status:
779 messages Scanned by MailScanner
9.8 Total MB
206 Spam messages detected by MailScanner
193 Spam messages with action(s) store
13 Spam messages with action(s) store,deliver,header
6 hits from MailScanner SpamAssassin cache
10 Viruses found by MailScanner
4 Banned attachments found by MailScanner
13 Content Problems found by MailScanner
584 Messages delivered by MailScanner
779 Messages logged to MailWatch database
6 SpamAssassin timeout(s)
Virus Sender Report: (Total Seen = 5)
: 3 Time(s)
81.252.202.129 : 2 Time(s)
Spam Whitelisted Host Report: (Total Seen = 452)
127.0.0.1 (forum-bounces at sixxs.net): 5 Time(s)
194.109.142.194 (clamav-virusdb-bounces at lists.clamav.net): 26 Time(s)
209.132.177.33 (fedora-package-announce-bounces at redhat.com): 199
Time(s)
213.136.17.26 (linux-bounce at lists.nllgg.nl): 10 Time(s)
216.200.241.73 (owner-fw-1-mailinglist at amadeus.us.checkpoint.com):
47 Time(s)
216.34.181.88 (simple-evcorr-users-bounces at lists.sourceforge.net):
2 Time(s)
72.26.200.202 (centos-announce-bounces at centos.org): 8 Time(s)
83.98.192.7 (mailscanner-bounces at lists.mailscanner.info): 126 Time(s)
85.13.226.40 (users-bounces at lists.rpmforge.net): 19 Time(s)
85.17.220.216 (pdns-users-bounces at mailman.powerdns.com): 10 Time(s)
RBL Report: (Total Seen = 120)
spamhaus-ZEN : 105 Time(s)
spamhaus-ZEN, RBL-JP : 3 Time(s)
spamhaus-ZEN, RBL-KR : 12 Time(s)
Content Report: (Total Seen = 13)
iframe, script, form, form input tags: 1 Time(s)
phishing tags: 5 Time(s)
web bug tags: 5 Time(s)
web bug, form, form input tags: 1 Time(s)
web bug, phishing tags: 1 Time(s)
Banned Filename Report: (Total Seen = 2)
windows/dos executable (document.htm -space- .exe) : 1 Time(s)
windows/dos executable (document.pdf -space- .exe) : 1 Time(s)
Banned Filetype Report: (Total Seen = 2)
no executables (document.htm -space- .exe) : 1 Time(s)
no executables (document.pdf -space- .exe) : 1 Time(s)
Phishing Report: (Total Seen = 11)
http://94d.koyojah.cn/?ifyzir=Sq14x7K738k668962cvdf93&ucixim=98073545714939353881529&aviry=a459M466h12T84a40W34DgT50&ajemi=9857588515513348581085129:
1 Time(s)
http://9a1.koyojah.cn/?yairoxaug=O2wD9e89005i06H52086Te5&ifafev=118008449058988882771837&wuapihaf=80g8814P8s995238693C0&imudiwe=444220479734076160683:
1 Time(s)
http://badc9.koyojah.cn/?iofaiofi=419651156J2e15E2Y286&ecylelyjo=1637324136675286613573892&yuneuqy=2n05w2E8w34763P97j0747uD&deheei=30975271946850298113:
1 Time(s)
http://c8dcd9.koyojah.cn/?ikycuebavy=1KGVb65998p98TFGX9I79b&owueeja=22941960630312397626&oulau=8MVk22j4qB54je5400o1464b&ramaosisao=42459349657551249147470:
1 Time(s)
http://dbaseserver.mistermail.nl/t/676885/5858236/178400/0/: 1 Time(s)
http://feedproxy.google.com/~r/axvo/ZwVt/~3/4pUeKYCoWg0: 1 Time(s)
http://feedproxy.google.com/~r/axvo/ZwVt/~3/iu5rNf-Z5Zo: 1 Time(s)
http://url.aart06.net/t/55403/1524/5572846/3296402/0: 1 Time(s)
http://url.aart06.net/t/56362/1460/5577809/3346874/0: 2 Time(s)
http://us.mc1116.mail.yahoo.com/mc/compose?to=marie.diane10@yahoo.com: 1
Time(s)
HTML <FORM> tag report: (Total Seen = 4)
invitations at twitter.com : 1 Time(s)
postmaster at vanderkooij.org : 2 Time(s)
unive at emessaging.nl : 1 Time(s)
HTML <SCRIPT> tag report: (Total Seen = 1)
invitations at twitter.com : 1 Time(s)
HTML <IFRAME> tag report: (Total Seen = 1)
invitations at twitter.com : 1 Time(s)
HTML <IMG> tag report: (Total Seen = 125)
Details Suppressed at level 0. Level 10 required.
**Unmatched Entries**
Whitelist refresh time reached : 282 Time(s)
Virus Scanning: F-Prot6 found 1 infections : 2 Time(s)
/8C98517E900A.8E49E/document.pdf.exe Found the
Generic.dx!fpw trojan !!! : 1 Time(s)
[Found possible security risk] <W32/Heuristic-200!Eldorado (not
disinfectable)> ./8C98517E900A.8E49E.message->Invitation
Card.zip->document.pdf .exe : 1 Time(s)
./8C98517E900A.8E49E/Invitation Card.zip:
Suspect.DoubleExtension-zippwd-7 FOUND : 1 Time(s)
./8C98517E900A.8E49E.message: Suspect.DoubleExtension-zippwd-7
FOUND : 1 Time(s)
/ECA3A17E8F7E.1660C.message/Shipping documents.zip/document.htm
.exe Found the Generic.dx!fpw trojan !!! : 1 Time(s)
/ECA3A17E8F7E.1660C/document.htm.exe Found the
Generic.dx!fpw trojan !!! : 1 Time(s)
[Found possible security risk] <W32/Heuristic-200!Eldorado (not
disinfectable)> ./ECA3A17E8F7E.1660C.message->Shipping
documents.zip->document.htm .exe : 1 Time(s)
/8C98517E900A.8E49E/Invitation Card.zip/document.pdf .exe
Found the Generic.dx!fpw trojan !!! : 1 Time(s)
/8C98517E900A.8E49E.message/Invitation Card.zip/document.pdf .exe
Found the Generic.dx!fpw trojan !!! : 1 Time(s)
/ECA3A17E8F7E.1660C/Shipping documents.zip/document.htm .exe
Found the Generic.dx!fpw trojan !!! : 1 Time(s)
---------------------- MailScanner End -------------------------
From the logwatch parser (that I definitly need to improve upon).
Hugo
More information about the MailScanner
mailing list