[Mimedefang] virus source report?

Anne Bennett anne at encs.concordia.ca
Mon Aug 9 16:57:55 EDT 2004 

Les Mikesell asks:

> Has anyone come
> up with a clever way to parse the logs or another way to quickly
> notice if the first IP in the received headers belongs to your
> own ranges so that after the scanner detects the virus you can
> quickly find internal boxes already infected?

I make mimedefang log something like:

  Aug  9 00:15:30 courage mimedefang.pl[30635]: i794FMeO030827:
    relay=159.226.211.71, action=discard, detail=virus 'W32/Lovgate-V',
    envfrom=<foobar at msn.com>, envrcpt=<foobar at cs.concordia.ca>, subj=

Then I have a nightly cron job that checks for messages discarded due
to the presence of a virus, and if the relay was on our network, this
gets reported.

I append the logging subroutine I have put in the mimedefang-filter,
which I call for any action that is taken on a message.

Hope that helps a bit.


Anne.
-- 
Ms. Anne Bennett, Senior Sysadmin, ENCS, Concordia University, Montreal H3G 1M8
anne at encs.concordia.ca                                    +1 514 848-2424 x2285
-------------------------------------------------------------------------------

# Create a syslog entry in our own particular format, which our
# reporting tools will understand.  If there is a third parameter, log
# for just that recipient.  The global %Recipients should have been
# set before this is called.
sub concordia_log($$;$)
{
  my ( $action, $detail, $just_this_recip ) = @_;
  #debug_filter("sub concordia_log");

  my ( $qid, $relay, $lcsender, $subj );
  my ( $recip, @recips, $log_subject, $log_each_recip );

  # Do not log subject by default, but only when we think that there's
  # something wrong with the message,
  $log_subject = undef;
  if ( ( $action =~ /^(tag|defang|pre_reject|reject|discard)/ ) &&
       ( $action !~ /debug/ )
     )
  {
    $log_subject = 1;
  }

  # Log for each recipient separately only if we are going to reject
  # or discard the message; otherwise, one log line is plenty!
  $log_each_recip = undef;
  if ( $action =~ /^(reject|discard)/ )
  {
    $log_each_recip = 1;
  }

  # Set up values for logging, avoiding undefined values.

  $qid = $MsgID;
  $qid = "NOQUEUE" unless $qid;
  $qid = "NOQUEUE" if $qid =~ /^<No/ ;

  $relay = $RelayAddr;
  $relay = "UNKNOWN" unless $relay;

  if ( $Sender )
  {
    $lcsender = lc($Sender);
  }
  else
  {
    $lcsender = "NONE";
  }

  @recips = ();
  foreach $recip ( keys %Recipients )
  {
    push @recips, lc($recip);
  }
  unless ( @recips )
  { 
    @recips = ( "NONE" );
  }
  if ( ( scalar(@recips) > 1 ) &&
       ( ! $log_each_recip )
     ) 
  {
    @recips = ( "MULTIPLE" ); 
  }
  if ( $just_this_recip )
  {
    @recips = ( $just_this_recip );
  }
  
  $subj = $Subject;
  $subj = "" unless $subj;
  
  # Issue a log message for each recipient of this message (or for the
  # special recipient "MULTIPLE" if that was set).
  
  foreach $recip ( @recips )
  {
    my ( $message );
  
    $message = 
      sprintf( "%s: relay=%s, action=%s, detail=%s, envfrom=%s, envrcpt=%s",
               $qid, $relay,  $action,   $detail,   $lcsender,  $recip);

    if ( $log_subject )
    {
      $message .= sprintf(", subj=%s", $subj);
    }

    md_syslog("info", $message);
  }
}

-------------------------------------------------------------------------------

More information about the MIMEDefang mailing list