- Had to tweak the SA ruleset for LogWatch, specifically:
header TONNS_LOGWATCH Subject =~ /^LogWatch for /
Eventually, it should be a real whitelist entry, but since this is a dry-run, I'll just leave it at this.
score TONNS_LOGWATCH -20.0 - The LogWatch amavisd script is out-of-sync with the logs that amavisd generates. This fixed things:
# pwd
/etc/log.d/scripts
# diff -u services.orig/amavis services/amavis
--- services.orig/amavis 2005-08-22 21:16:47.000000000 -0400
+++ services/amavis 2006-11-10 11:01:50.000000000 -0500
@@ -60,7 +60,7 @@
or ($ThisLine =~ /^cached [a-zA-Z0-9]+ /)
or ($ThisLine =~ /^starting. amavisd at/) ) {
# We don't care about these
- } elsif ($ThisLine =~ /^Passed, /) {
+ } elsif ($ThisLine =~ /^Passed CLEAN, /) {
$CleanMsgs++;
} elsif (($FileName, $From) = ( $ThisLine =~ /^BANNED name\/type \(([^\)]+)\)\, \<([^\>]*)\>/ )) {
@@ -82,7 +82,18 @@
$Viruses{$Virus}{$From}++;
}; # if
- } elsif (($Fromspam, $Towards) = ( $ThisLine =~ /^SPAM, [\(\<]([^\>\)]+)[\)\>] -\> [\(\<]([^\>\)]+)[\)\>]/ )) {
+ } elsif (($Fromspam, $Towards) = ( $ThisLine =~ /^Passed SPAM, \[[\d\.]+\] \[[\d\.]+\] [\(\<]([^\>\)]+)[\)\>] -\> [\(\<]([^\>\)]+)[\)\>]/ )) {
+ $SpamMsgs++;
+
+ if ($Detail >= 5) {
+ $Spamtypes{$Towards}++;
+ }; # if
+
+ if ($Detail >= 10) {
+ $Spams{$Towards}{$Fromspam}++;
+ }; # if
+
+ } elsif (($Fromspam, $Towards) = ( $ThisLine =~ /^Passed SPAM, [\(\<]([^\>\)]+)[\)\>] -\> [\(\<]([^\>\)]+)[\)\>]/ )) {
$SpamMsgs++;
if ($Detail >= 5) {
2006-11-10
Tweaking the anti-spam setup
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment