[Mimedefang] logwatch support for mimedefang: first cut
Gary Funck
gary at intrepid.com
Wed Sep 10 02:07:58 EDT 2008
Recently, I made a first cut at a logwatch script
that processes the sendmail log file, /var/log/maillog,
summarizing information logged by our mimedefang filter,
which is a hodge-podge of various suggestions and
contributions of filter code made to this list, and elsewhere.
The logwatch code is here:
http://perl.pastebin.com/m176d9adb
(The URL will be good for a month, until 2008-10-08.)
Here's the documentation:
DESCRIPTION
This logwatch script processes lines in a logfile that
are in "maillog" format, as written by the "sendmail"
program, and by "mimedefang". These log lines must
include, at a minimum, "MDLOG" lines that are typically
processed by the "graphdefang" tool.
This script also collects statistics on MDLOG
lines written by greylisting extensions, derived
from code developed by John Kirkland (see
<http://www.bl.org/~jpk/md-greylist>).
Further, a few additional lines in the logfile receive
special handling:
"RELAY: RELAY_IP RELAY_HOSTNAME"
Extensions to "filter_relay" write the hostname
and host IP address into the log file, along with
the pid of mimedefang process that is running the
relay filter.
"filter_relay said ACCEPT_AND_NO_MORE_FILTERING"
The pid on this line must match the pid of a
previously written "RELAY" line. It is assumed
that if this line appears in the logfile, that
"filter_relay" has accepted delivery of the
message based only on the relay's IP address.
This relay will be tabulated as a "trusted host".
"filter_recipient said ACCEPT_AND_NO_MORE_FILTERING"
It is assumed that this line appears in the log when
"filter_recipient" has determined that the sender
was authenticated; the authenticated sender count
is incremented.
Virus-related statistics are also tabulated for
"MDLOG" lines written when a virus is detected.
Special handling is implemented for "CLAMAV" virus names
identified by the SANE Security email virus scanning
extensions (see <http://www.sanesecurity.co.uk/>).
To try it out, install the three files listed in the
pastebin text, and then try something like:
$ logwatch --print --service mimedefang --range today
An example report follows:
Mail events
mail_in 1418
spam 470
virus 1
Greylist events
grey_new 4343
grey_white 973
reset 279
grey_black 78
grey_old 73
Trusted relays
host1.local [10.10.1.2] 38
localhost.localdomain [127.0.0.1] 2
host2.local [10.10.1.7] 1
Authenticated senders: 40
Virus hits
Email.Spam 115
Email.Loan 25
Email.Malware 22
[...]
Relays [6545] (top 20)
example.org [192.168.2.1] 958
sourceware.org [209.132.176.174] 341
test1.hosting.lsoft.com [209.119.0.36] 98
[...]
Spam Relays [471] (top 20)
example.org [192.168.2.1] 59
[192.168.2.2] 21
mail.example.com [192.168.2.3] 12
[...]
Feedback/suggestions appreciated. Additional code can
be posted to the pastebin thread, also.
PS: Statistics gathering would be much more reliable
and general if _all_ relevant events are logged with
MDLOG entries. We plan to implement that change.
More information about the MIMEDefang
mailing list