minor logging problem

[John Wilcock]

Le 09/09/2009 10:07, Julian Field a écrit :
> Sorry, cannot start trying to fix that one without the original message,
> or a message which produces the same symptoms.

I've been seeing similar split log lines for several months (and several 
MS versions) but not had time to report it.

It tends to occur in messages with lots of phishing URLs; most are 
logged properly but one or two otherwise identical URLs get split in 
logging, as follows:

> Sep  8 08:57:09 ex0 MailScanner[2579]: Found ip-based phishing fraud from http://193.33.46.154/newsletter/lt.php?id=LkpUWwpRAw9UX0QGDAAKTwEJUFEEBg%%3D%%3D in 06BC3334032.A71F5
> Sep  8 08:57:09 ex0 MailScanner[2579]: Found ip-based phishing fraud from http://193.33.46.154/newsletter/lt.php?id=LkpUWwpRAw9VVkQGDAAKTwEJUFEEBg%%3D%%3D in 06BC3334032.A71F5
> Sep  8 08:57:09 ex0 MailScanner[2579]: Found ip-based phishing fraud from http://193.33.46.154/newsletter/lt.php?id=LkpUWwpRAw9VV0QGDAAKTwEJUFEEBg%%3D%%3D in 06BC3334032.A71F5
> Sep  8 08:57:09 ex0 MailScanner[2579]: Found ip-based phishing fraud from http://193.33.46.154/ne!
> Sep  8 08:57:09 ex0 MailScanner[2579]:  wsletter
> Sep  8 08:57:09 ex0 MailScanner[2579]: /lt.php?id=LkpUWwpRAw9VVEQGDAAKTwEJUFEEBg%%3D%%3D in 06BC3334032.A71F5
> Sep  8 08:57:09 ex0 MailScanner[2579]: Found ip-based phishing fraud from http://193.33.46.154/newsletter/lt.php?id=LkpUWwpRAw9VVUQGDAAKTwEJUFEEBg%%3D%%3D in 06BC3334032.A71F5
> Sep  8 08:57:09 ex0 MailScanner[2579]: Found ip-based phishing fraud from http://193.33.46.154/newsletter/lt.php?id=LkpUWwpRAw9VUkQGDAAKTwEJUFEEBg%%3D%%3D in 06BC3334032.A71F5

I've sent you a sample message off list, Jules, and can send others if 
needed. I suppose this could also be a syslog bug rather than 
MailScanner - I'm using syslog-ng 2.1.4 on gentoo, FWIW.

John.

-- 
-- Over 4000 webcams from ski resorts around the world - www.snoweye.com
-- Translate your technical documents and web pages    - www.tradoc.fr