Too much detail in Logwatch report

Mark Sapiro mark at msapiro.net
Mon Oct 26 18:04:04 GMT 2009 

On Sun, Oct 25, 2009 at 06:59:27AM -0700, Mike Tremaine wrote:
> 
> More of logwatch question then a Mailscanner question but... The 
> phishing report has a threshold variable so you can set it high or set 
> it to 0 to supress. Sadly there was a bug in this so it was impossible 
> to set to 0 in the conf file. This has been fixed and the default is now 
> zero or off. You can grab just mailscanner service script here
> 
> http://www.stellarcore.net/downloads/mailscanner


There is still a bug in the above file. The fix is

@@ -34,7 +34,7 @@

 my $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0;
 my $phishing_detail = $ENV{'mailscanner_phishing_detail'} || 0;
-my $mailscanner_phishingthreshold = $ENV{'$mailscanner_phishingthreshold'} || 0;
+my $mailscanner_phishingthreshold = $ENV{'mailscanner_phishingthreshold'} || 0;

 #Inits
 my $MailScan_bytes = 0;


Also, I have made some changes to support the processing database and
spam-viruses and spamassassin rule actions. I have attached
logwatch_mailscanner.patch which has these changes plus the above fix.

-- 
Mark Sapiro mark at msapiro net       The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan
-------------- next part --------------
--- newmailscanner	2009-10-25 06:52:03.000000000 -0700
+++ /etc/logwatch/scripts/services/mailscanner	2009-10-26 10:34:42.000000000 -0700
@@ -34,7 +34,7 @@
 
 my $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0;
 my $phishing_detail = $ENV{'mailscanner_phishing_detail'} || 0;
-my $mailscanner_phishingthreshold = $ENV{'$mailscanner_phishingthreshold'} || 0;
+my $mailscanner_phishingthreshold = $ENV{'mailscanner_phishingthreshold'} || 0;
 
 #Inits
 my $MailScan_bytes = 0;
@@ -51,7 +51,10 @@
 my $MailScan_GoodWatermark = 0;
 my $MailScan_BadWatermark = 0;
 my $MailScan_SkipWatermark = 0;
-
+my $SpamAssassin_Rule_Actions = 0;
+my $MailScan_Deleted_pdb = 0;
+my $MailScan_Found_pdb = 0;
+my $MailScan_Spam_Virus = 0;
 
 while (defined($ThisLine = <STDIN>)) {
    #($QueueID) = ($ThisLine =~ m/^([a-zA-Z0-9]+): / );
@@ -124,10 +127,14 @@
          ( $ThisLine =~ m/^Initialising IP blocking/ ) or
          ( $ThisLine =~ m/^Closing down IP blocking/ ) or
          ( $ThisLine =~ m/Whitelist refresh time reached/ ) or
-         ( $ThisLine =~ m/Skipping sender of precedence list/ ) or 
+         ( $ThisLine =~ m/Skipping sender of precedence list/ ) or
          ( $ThisLine =~ m/^Read \d+ IP blocking entries from/ ) or
          #This for Kaspersky I guess it is duplicated by Content checks, remove if not -mgt
          ( $ThisLine =~ m/^\/var\/spool\/MailScanner\/incoming\/.+SUSPICION/ ) or
+         # New processing database
+         ( $ThisLine =~ m/Connected to [Pp]rocessing(?:-messages| Attempts) [Dd]atabase/ ) or
+         ( $ThisLine =~ m/Found 0 messages in the [Pp]rocessing(?:-messages| Attempts) [Dd]atabase/ ) or
+         ( $ThisLine =~ m/Reading configuration file/ ) or
          ( $ThisLine =~ m/^SpamAssassin temporary working directory is/ ) or
          ( $ThisLine =~ m/ignored whitelist, had .+ recipients/ )
    ) {
@@ -145,6 +152,9 @@
       $MailScan_Spam = $MailScan_Spam + $1;
    } elsif ( $ThisLine =~ m/Virus Scanning: Found ([0-9]+) viruses/) {
       $MailScan_Virus = $MailScan_Virus + $1;
+   } elsif ( $ThisLine =~ m/Found spam-virus (\S+) in/i) {
+      $MailScan_Spam_Virus++;
+      $Spam_Virus_Found{$1}++;
    } elsif ( $ThisLine =~ m/infected message .+ came from (.*)/i) {
       $MailScan_VirualHost = $MailScan_VirualHost + 1;
       $Hostlist{$1}++;
@@ -157,7 +167,8 @@
       #without the leading : this would match Fprot so error on the side of matching to much -mgt
       $VirusType_BitDefender{$1}++;
       $MailScan_Virus_BitDefender++;
-   } elsif ($ThisLine =~ m/^\/var\/spool\/MailScanner\/incoming\/.+: ([\w\_\-\.\/]+) FOUND/i) {
+   } elsif ( ($ThisLine =~ m/^\/var\/spool\/MailScanner\/incoming\/.+: ([\w\_\-\.\/]+) FOUND/i) or
+           ($ThisLine =~ m/Clamd::INFECTED:: (\S+) ::/i) ) {
       $VirusType_ClamAv{$1}++;
       $MailScan_Virus_ClamAv++;
    } elsif ($ThisLine =~ m/ClamAVModule::INFECTED:: (.+)::/) {
@@ -321,6 +332,14 @@
    } elsif ( ($ThisLine =~ m/Message .+ had bad watermark/) ||
              ($ThisLine =~ m/Message .+ from .+ has no \(or invalid\) watermark or sender address/) ) {
       $MailScan_BadWatermark++;
+   } elsif ($ThisLine =~ m/SpamAssassin Rule Actions: rule ([^ ]*) caused action ([^ ]*) .*in message ([0-9a-f.]*)/i) {
+      $SpamAssassin_Rule_Actions++;
+      $SpamAssassin_Rule{$1}++;
+      $SpamAssassin_Action{$2}++;
+      $SpamAssassin_Message{$3}++;
+    } elsif ($ThisLine =~ m/Deleted (\d+) messages from processing-database/) {      $MailScan_Deleted_pdb += $1;
+    } elsif ($ThisLine =~ m/Found (\d+) messages in the [Pp]rocessing(?:-messages| Attempts) [Dd]atabase/) {
+       $MailScan_Found_pdb += $1;
    } else {
       chomp($ThisLine);
       # Report any unmatched entries...
@@ -358,6 +377,10 @@
    print "\n\t\t" . $SACacheHit . ' hits from MailScanner SpamAssassin cache';
 }
 
+#if ($MailScan_Spam_Virus > 0) {
+#   print "\n\t" . $MailScan_Spam_Virus . ' Spam messages detected by Virus signatures';
+#}
+
 if ($MailScan_Unscanned > 0) {
    print "\n\t" . $MailScan_Unscanned . ' Messages forwarded unscanned by MailScanner';
 }
@@ -374,6 +397,12 @@
    print "\n\t" . $MailScan_Content . ' Content Problems found by MailScanner';
 }
 
+if ($MailScan_Deleted_pdb > 0) {
+   print "\n\t" . $MailScan_Deleted_pdb . " Messages deleted from processing-database";
+}
+if ($MailScan_Found_pdb > 0) {
+   print "\n\t" . $MailScan_Found_pdb . " Messages found in processing-database";
+}
 if ($MailScan_Delivered > 0) {
    print "\n\t" . $MailScan_Delivered . " Messages delivered by MailScanner\n";
 }
@@ -463,6 +492,13 @@
    }
 }
 
+if (keys %Spam_Virus_Found) {
+   print "\nSpam Virus Report: (Total Seen = $MailScan_Spam_Virus)\n";
+   foreach $ThisOne (sort keys %Spam_Virus_Found) {
+      print '    ' . $ThisOne . ': ' . $Spam_Virus_Found{$ThisOne} . " Time(s)\n";
+   }
+}
+
 if (keys %Hostlist) {
    print "\nVirus Sender Report: (Total Seen = $MailScan_VirualHost)\n";
    foreach $ThisOne (sort keys %Hostlist) {
@@ -592,6 +628,18 @@
       print '    ' . "Details Suppressed at level $Detail. Level 10 required.\n";
    }
 }
+if ($SpamAssassin_Rule_Actions > 0) {
+   print "\nSpamAssassin Rule Actions: (Total Seen = $SpamAssassin_Rule_Actions)\n";
+      foreach $ThisOne (sort keys %SpamAssassin_Rule) {
+         print '    ' . 'Rule - ' . $ThisOne . ': ' . $SpamAssassin_Rule{$ThisOne} . " Time(s)\n";
+      }
+      foreach $ThisOne (sort keys %SpamAssassin_Action) {
+         print '    ' . 'Action - ' . $ThisOne . ': ' . $SpamAssassin_Action{$ThisOne} . " Time(s)\n";
+      }
+      foreach $ThisOne (sort keys %SpamAssassin_Message) {
+         print '    ' . 'Message - ' . $ThisOne . ': ' . $SpamAssassin_Message{$ThisOne} . " Time(s)\n";
+      }
+}
 
 if ( ($MailScan_GoodWatermark > 0) || ($MailScan_BadWatermark > 0) || ($MailScan_Skipwatermark > 0) ) {
    print "\nWatermark report:\n";

More information about the MailScanner mailing list