Simscan/Logging

From Qmailwiki
(Difference between revisions)
Jump to: navigation, search
(added proposed format)
(Deleted spam links)
 
(13 intermediate revisions by 3 users not shown)
Line 1: Line 1:
== Current Logging in Simscan ==
 
 
Logging in simscan is to be defined here. Currently most logging lines look like this
 
 
 
  simscan:[PID]:STATE:SUBJECT:SENDERIP:SENDERADDR:RCPTTOADDR
 
 
=== STATE ===
 
* CLEAN: message passed
 
* VIRUS: virus
 
* SPAM PASS: spam-level too low to bounce
 
* SPAM REJECT: spam-level high enough to bounce
 
 
=== SUBJECT ===
 
* State VIRUS: Virus-Name
 
 
=== SENDERIP ===
 
* IP of sender
 
* With IPv6 addresses the format is broken because : are used for the address
 
 
 
== Wishlist ==
 
== Wishlist ==
 
* Spam-Points on SPAM PASS or SPAM REJECT
 
* Spam-Points on SPAM PASS or SPAM REJECT
* attachment and regex blocking should also get logged
 
* silently dropped messages also
 
 
* for virus, the scanner should be logged (trophie/sophie/clamav)
 
* for virus, the scanner should be logged (trophie/sophie/clamav)
 
* More statistics
 
* More statistics
Line 36: Line 15:
 
The idea is the have the first part (up to ACTION) stay the same and make the ACTIONINFO part dependent on the chosen action.
 
The idea is the have the first part (up to ACTION) stay the same and make the ACTIONINFO part dependent on the chosen action.
  
; PID : The pid is the pid of the simscan proccess
+
; PID : The pid is the pid of the simscan proccess
; REMOTEIP : The remoteip is the IP of the sender. Colons ":" get replaced by "," (ipv6). If this information is not available it is set to "(null)"
+
; REMOTEIP : The remoteip is the IP of the sender. Colons ":" get replaced by "," (ipv6). If this information is not available it is set to "(null)"
; RCPTS : the recipients of the mail, seperated by commas.
+
; RCPTS : the recipients of the mail, seperated by commas.
; TTP : TimeToProcess, is the time is seconds that simscan needed to process the message. 1.1234 is the format.
+
; TTP : TimeToProcess, is the time is seconds that simscan needed to process the message. 1.1234 is the format.
; MODULES : lists the modules used to scan this message, separated by commas. Looks like: modulename(tts[,version)  
+
; MODULES : lists the modules used to scan this message, separated by commas. Looks like: modulename(tts[,version][,info])  
** modulename is the name of the scanning module
+
* modulename is the name of the scanning module
** tts is the time this module took to scan in seconds. 1.1234 is the format.
+
* tts is the time this module took to scan in seconds. 1.1234 is the format.
** version is the version of the module. only if available (--enable-received)
+
* version is the version of the module. only if available (--enable-received)
 +
* info is additional info. for example the user for spamassassin
  
 
=== ACTIONS ===
 
=== ACTIONS ===
==== PASSED ====
+
==== PASS ====
We are in this state if
+
We are in this state when the message passed through simscan without any problems
; ACTIONINFO :
+
===== ACTIONINFO =====
 +
  PASS:pid
 +
; pid : pid of the qmail-queue used to pass the message on
 +
===== Simscan configuration =====
 +
used in all configurations
 +
 
 +
==== PASS SPAM ====
 +
This state is entered when a message is considered spam by spamassassin, but we pass it on because spam_hits is set to a higher value.
 +
===== ACTIONINFO =====
 +
  PASS SPAM:pid:spam-level:subject
 +
; pid : pid of the qmail-queue used to pass the message on
 +
; spam-level : spamassassins spam-level
 +
===== Simscan configuration =====
 +
* --enable-spam-passthru=y
 +
* --enable-spam=y
 +
* value of spam-hits variable
 +
** --enable-spam-hits=NUM
 +
** per-domain spam_hits value
 +
 
 +
==== REJECT SPAM ====
 +
state that shows that spam has been rejected.
 +
===== ACTIONINFO =====
 +
  REJECT SPAM:spam-level
 +
; spam-level : spamassassins spam-level for the message
 +
 
 +
===== Simscan configuration =====
 +
* --enable-spam-passthru=n
 +
and
 +
 
 +
* --enable-spam-passthru=n
 +
or
 +
* --enable-spam-passthru=y
 +
* value of spam-hits variable < spam-level
 +
** --enable-spam-hits=NUM
 +
** per-domain spam_hits value
 +
 
 +
and NOT
 +
* --enable-quarantinedir=
 +
 
 +
 
 +
 
 +
==== REJECT VIRUS ====
 +
the message contained a virus.
 +
===== ACTIONINFO =====
 +
  REJECT VIRUS:scanner:virusname
 +
; scanner : which scanner found the virus (clamav/trophie so far)
 +
; virusname : the name of the virus
 +
 
 +
===== Simscan configuration =====
 +
one of
 +
 
 +
* --enable-clamav=y
 +
* --enable-trophie-socket=y
 +
 
 +
and NOT
 +
* --enable-quarantinedir=
 +
 
 +
==== REJECT ATTACH ====
 +
The message contained a forbidden attachment and was blocked
 +
===== ACTIONINFO =====
 +
  REJECT ATTACH:attachment-type:filename
 +
; attachment-type : the match becaus it was blocked
 +
; filename : the filename in the message that was blocked
 +
===== Simscan configuration =====
 +
* --enable-attach=y
 +
* and attachment in /etc/qmail/ssattach.cdb
 +
or
 +
* --enable-attach=y
 +
* --enable-per-domain=y
 +
* and attach= in /etc/qmail/simcontrol.cdb
 +
 
 +
 
 +
==== REJECT REGEX ====
 +
The mail was blocked because it matched a regular expression
 +
===== ACTIONINFO =====
 +
  REJECT REGEX:regex-num:regex
 +
; regex-num : the regex-number that matched
 +
; regex : the matching regex itself
 +
 
 +
===== Simscan configuration =====
 +
* --enable-regex=y
 +
* --enable-per-domain=y
 +
* and regex= in /etc/qmail/simcontrol.cdb
 +
 
 +
==== QUARANTINE ... ====
 +
I need to look into the quarantining before deciding on the states
 +
===== ACTIONINFO =====
 +
===== Simscan configuration =====
 +
 
 +
 
 +
==== DROP VIRUS ====
 +
The email contained a virus and was silently dropped (BAD!)
 +
 
 +
===== ACTIONINFO =====
 +
Analog to state: REJECT VIRUS
 +
 
 +
===== Simscan configuration =====
 +
analog to state: REJECT VIRUS and
 +
* --enable-dropmsg=y
 +
 
 +
==== ACTION TMPL ====
 +
===== ACTIONINFO =====
 +
===== Simscan configuration =====

Latest revision as of 08:43, 16 January 2009

Contents

Wishlist

  • Spam-Points on SPAM PASS or SPAM REJECT
  • for virus, the scanner should be logged (trophie/sophie/clamav)
  • More statistics
    • Processing time?
    • bytes?
  • easy processing for statistics-generating...

please comment...

Future logging proposal

 simscan[PID]:REMOTEIP:RCPTS:TTP:MODULES:ACTION:ACTIONINFO

The idea is the have the first part (up to ACTION) stay the same and make the ACTIONINFO part dependent on the chosen action.

PID 
The pid is the pid of the simscan proccess
REMOTEIP 
The remoteip is the IP of the sender. Colons ":" get replaced by "," (ipv6). If this information is not available it is set to "(null)"
RCPTS 
the recipients of the mail, seperated by commas.
TTP 
TimeToProcess, is the time is seconds that simscan needed to process the message. 1.1234 is the format.
MODULES 
lists the modules used to scan this message, separated by commas. Looks like: modulename(tts[,version][,info])
  • modulename is the name of the scanning module
  • tts is the time this module took to scan in seconds. 1.1234 is the format.
  • version is the version of the module. only if available (--enable-received)
  • info is additional info. for example the user for spamassassin

ACTIONS

PASS

We are in this state when the message passed through simscan without any problems

ACTIONINFO
 PASS:pid
pid 
pid of the qmail-queue used to pass the message on
Simscan configuration

used in all configurations

PASS SPAM

This state is entered when a message is considered spam by spamassassin, but we pass it on because spam_hits is set to a higher value.

ACTIONINFO
 PASS SPAM:pid:spam-level:subject
pid 
pid of the qmail-queue used to pass the message on
spam-level 
spamassassins spam-level
Simscan configuration
  • --enable-spam-passthru=y
  • --enable-spam=y
  • value of spam-hits variable
    • --enable-spam-hits=NUM
    • per-domain spam_hits value

REJECT SPAM

state that shows that spam has been rejected.

ACTIONINFO
 REJECT SPAM:spam-level
spam-level 
spamassassins spam-level for the message
Simscan configuration
  • --enable-spam-passthru=n

and

  • --enable-spam-passthru=n

or

  • --enable-spam-passthru=y
  • value of spam-hits variable < spam-level
    • --enable-spam-hits=NUM
    • per-domain spam_hits value

and NOT

  • --enable-quarantinedir=


REJECT VIRUS

the message contained a virus.

ACTIONINFO
 REJECT VIRUS:scanner:virusname
scanner 
which scanner found the virus (clamav/trophie so far)
virusname 
the name of the virus
Simscan configuration

one of

  • --enable-clamav=y
  • --enable-trophie-socket=y

and NOT

  • --enable-quarantinedir=

REJECT ATTACH

The message contained a forbidden attachment and was blocked

ACTIONINFO
 REJECT ATTACH:attachment-type:filename
attachment-type 
the match becaus it was blocked
filename 
the filename in the message that was blocked
Simscan configuration
  • --enable-attach=y
  • and attachment in /etc/qmail/ssattach.cdb

or

  • --enable-attach=y
  • --enable-per-domain=y
  • and attach= in /etc/qmail/simcontrol.cdb


REJECT REGEX

The mail was blocked because it matched a regular expression

ACTIONINFO
 REJECT REGEX:regex-num:regex
regex-num 
the regex-number that matched
regex 
the matching regex itself
Simscan configuration
  • --enable-regex=y
  • --enable-per-domain=y
  • and regex= in /etc/qmail/simcontrol.cdb

QUARANTINE ...

I need to look into the quarantining before deciding on the states

ACTIONINFO
Simscan configuration

DROP VIRUS

The email contained a virus and was silently dropped (BAD!)

ACTIONINFO

Analog to state: REJECT VIRUS

Simscan configuration

analog to state: REJECT VIRUS and

  • --enable-dropmsg=y

ACTION TMPL

ACTIONINFO
Simscan configuration
Personal tools