[Mimedefang] logwatch support for mimedefang: first cut

Gary Funck gary at intrepid.com
Wed Sep 10 02:07:58 EDT 2008


Recently, I made a first cut at a logwatch script
that processes the sendmail log file, /var/log/maillog,
summarizing information logged by our mimedefang filter,
which is a hodge-podge of various suggestions and
contributions of filter code made to this list, and elsewhere.

The logwatch code is here:
  http://perl.pastebin.com/m176d9adb
(The URL will be good for a month, until 2008-10-08.)

Here's the documentation:

DESCRIPTION
       This logwatch script processes lines in a logfile that
       are in "maillog" format, as written by the "sendmail"
       program, and by "mimedefang".  These log lines must
       include, at a minimum, "MDLOG" lines that are typically
       processed by the "graphdefang" tool.

       This script also collects statistics on MDLOG
       lines written by greylisting extensions, derived
       from code developed by John Kirkland (see
       <http://www.bl.org/~jpk/md-greylist>).

       Further, a few additional lines in the logfile receive
       special handling:

       "RELAY: RELAY_IP RELAY_HOSTNAME"
           Extensions to "filter_relay" write the hostname
           and host IP address into the log file, along with
           the pid of mimedefang process that is running the
           relay filter.

       "filter_relay said ACCEPT_AND_NO_MORE_FILTERING"
           The pid on this line must match the pid of a
           previously written "RELAY" line.  It is assumed
           that if this line appears in the logfile, that
           "filter_relay" has accepted delivery of the
           message based only on the relay's IP address.
           This relay will be tabulated as a "trusted host".

       "filter_recipient said ACCEPT_AND_NO_MORE_FILTERING"
           It is assumed that this line appears in the log when
           "filter_recipient" has determined that the sender
           was authenticated; the authenticated sender count
           is incremented.

       Virus-related statistics are also tabulated for
       "MDLOG" lines written when a virus is detected.
       Special handling is implemented for "CLAMAV" virus names
       identified by the SANE Security email virus scanning
       extensions (see <http://www.sanesecurity.co.uk/>).

To try it out, install the three files listed in the
pastebin text, and then try something like:

  $ logwatch --print --service mimedefang --range today

An example report follows:

 Mail events
 mail_in 1418
 spam     470
 virus      1
 
 Greylist events
 grey_new   4343
 grey_white  973
 reset       279
 grey_black   78
 grey_old     73
 
 Trusted relays
 host1.local [10.10.1.2]           38
 localhost.localdomain [127.0.0.1]  2
 host2.local [10.10.1.7]            1
 
 Authenticated senders: 40
 
 Virus hits
 Email.Spam     115
 Email.Loan      25
 Email.Malware   22
[...]
 
 Relays [6545] (top 20)
 example.org [192.168.2.1]              958
 sourceware.org [209.132.176.174]       341
 test1.hosting.lsoft.com [209.119.0.36]  98
[...]
 
 Spam Relays [471] (top 20)
 example.org [192.168.2.1]      59
 [192.168.2.2]                  21
 mail.example.com [192.168.2.3] 12
[...]

Feedback/suggestions appreciated.  Additional code can
be posted to the pastebin thread, also.

PS: Statistics gathering would be much more reliable
and general if _all_ relevant events are logged with
MDLOG entries.  We plan to implement that change.



More information about the MIMEDefang mailing list