[Mimedefang] logwatch support for mimedefang: first cut

Gary Funck gary at intrepid.com
Wed Sep 10 02:07:58 EDT 2008

Recently, I made a first cut at a logwatch script
that processes the sendmail log file, /var/log/maillog,
summarizing information logged by our mimedefang filter,
which is a hodge-podge of various suggestions and
contributions of filter code made to this list, and elsewhere.

The logwatch code is here:
(The URL will be good for a month, until 2008-10-08.)

Here's the documentation:

       This logwatch script processes lines in a logfile that
       are in "maillog" format, as written by the "sendmail"
       program, and by "mimedefang".  These log lines must
       include, at a minimum, "MDLOG" lines that are typically
       processed by the "graphdefang" tool.

       This script also collects statistics on MDLOG
       lines written by greylisting extensions, derived
       from code developed by John Kirkland (see

       Further, a few additional lines in the logfile receive
       special handling:

           Extensions to "filter_relay" write the hostname
           and host IP address into the log file, along with
           the pid of mimedefang process that is running the
           relay filter.

       "filter_relay said ACCEPT_AND_NO_MORE_FILTERING"
           The pid on this line must match the pid of a
           previously written "RELAY" line.  It is assumed
           that if this line appears in the logfile, that
           "filter_relay" has accepted delivery of the
           message based only on the relay's IP address.
           This relay will be tabulated as a "trusted host".

       "filter_recipient said ACCEPT_AND_NO_MORE_FILTERING"
           It is assumed that this line appears in the log when
           "filter_recipient" has determined that the sender
           was authenticated; the authenticated sender count
           is incremented.

       Virus-related statistics are also tabulated for
       "MDLOG" lines written when a virus is detected.
       Special handling is implemented for "CLAMAV" virus names
       identified by the SANE Security email virus scanning
       extensions (see <http://www.sanesecurity.co.uk/>).

To try it out, install the three files listed in the
pastebin text, and then try something like:

  $ logwatch --print --service mimedefang --range today

An example report follows:

 Mail events
 mail_in 1418
 spam     470
 virus      1
 Greylist events
 grey_new   4343
 grey_white  973
 reset       279
 grey_black   78
 grey_old     73
 Trusted relays
 host1.local []           38
 localhost.localdomain []  2
 host2.local []            1
 Authenticated senders: 40
 Virus hits
 Email.Spam     115
 Email.Loan      25
 Email.Malware   22
 Relays [6545] (top 20)
 example.org []              958
 sourceware.org []       341
 test1.hosting.lsoft.com []  98
 Spam Relays [471] (top 20)
 example.org []      59
 []                  21
 mail.example.com [] 12

Feedback/suggestions appreciated.  Additional code can
be posted to the pastebin thread, also.

PS: Statistics gathering would be much more reliable
and general if _all_ relevant events are logged with
MDLOG entries.  We plan to implement that change.

More information about the MIMEDefang mailing list