Simscan/Logging

Revision as of 10:10, 28 September 2005 (view source) Kbo (Talk | contribs) ← Older edit		Latest revision as of 09:43, 16 January 2009 (view source) 60.52.72.135 (Talk) (Deleted spam links)
(One intermediate revision by one user not shown)
Line 1:		Line 1:
−	== Current Logging in Simscan ==
−
−	Logging in simscan is to be defined here. Currently most logging lines look like this
−
−	simscan:[PID]:STATE:SUBJECT:SENDERIP:SENDERADDR:RCPTTOADDR
−
−	=== STATE ===
−	* VIRUS: virus
−	* VIRUS DROPPED: virus sliently dropped
−	* CLEAN: message passed spamassassin
−	* SPAM PASS: spam-level too low to bounce
−	* SPAM REJECT: spam-level high enough to bounce
−	* SPAM PASSTHRU: spam-level message but configured to pass through to user
−	* SPAM DROPPED: spam-level message sliently dropped
−	* REGEX: message matched a regex expression
−	* ATTACH: message matched an extension
−
−	=== SUBJECT ===
−	* State VIRUS, VIRUS DROPPED: Virus-Name
−	* State CLEAN, SPAM PASS, SPAM REJECT, SPAM PASSTHRU, SPAM DROPPED: Email subject
−	* State ATTACH: Attachment name
−	* State REGEX: Regex pattern number
−
−	=== SENDERIP ===
−	* IP of sender
−	* With IPv6 addresses the format is broken because : are used for the address
−
	== Wishlist ==		== Wishlist ==
	* Spam-Points on SPAM PASS or SPAM REJECT		* Spam-Points on SPAM PASS or SPAM REJECT

---

Latest revision as of 09:43, 16 January 2009

Contents 1 Wishlist 2 Future logging proposal 2.1 ACTIONS 2.1.1 PASS 2.1.1.1 ACTIONINFO 2.1.1.2 Simscan configuration 2.1.2 PASS SPAM 2.1.2.1 ACTIONINFO 2.1.2.2 Simscan configuration 2.1.3 REJECT SPAM 2.1.3.1 ACTIONINFO 2.1.3.2 Simscan configuration 2.1.4 REJECT VIRUS 2.1.4.1 ACTIONINFO 2.1.4.2 Simscan configuration 2.1.5 REJECT ATTACH 2.1.5.1 ACTIONINFO 2.1.5.2 Simscan configuration 2.1.6 REJECT REGEX 2.1.6.1 ACTIONINFO 2.1.6.2 Simscan configuration 2.1.7 QUARANTINE ... 2.1.7.1 ACTIONINFO 2.1.7.2 Simscan configuration 2.1.8 DROP VIRUS 2.1.8.1 ACTIONINFO 2.1.8.2 Simscan configuration 2.1.9 ACTION TMPL 2.1.9.1 ACTIONINFO 2.1.9.2 Simscan configuration

Wishlist

• Spam-Points on SPAM PASS or SPAM REJECT
• for virus, the scanner should be logged (trophie/sophie/clamav)
• More statistics
  • Processing time?
  • bytes?
• easy processing for statistics-generating...

please comment...

Future logging proposal

 simscan[PID]:REMOTEIP:RCPTS:TTP:MODULES:ACTION:ACTIONINFO

The idea is the have the first part (up to ACTION) stay the same and make the ACTIONINFO part dependent on the chosen action.

PID 

The pid is the pid of the simscan proccess

REMOTEIP 

The remoteip is the IP of the sender. Colons ":" get replaced by "," (ipv6). If this information is not available it is set to "(null)"

RCPTS 

the recipients of the mail, seperated by commas.

TTP 

TimeToProcess, is the time is seconds that simscan needed to process the message. 1.1234 is the format.

MODULES 

lists the modules used to scan this message, separated by commas. Looks like: modulename(tts[,version][,info])

• modulename is the name of the scanning module
• tts is the time this module took to scan in seconds. 1.1234 is the format.
• version is the version of the module. only if available (--enable-received)
• info is additional info. for example the user for spamassassin

ACTIONS

PASS

We are in this state when the message passed through simscan without any problems

ACTIONINFO

 PASS:pid

pid 

pid of the qmail-queue used to pass the message on

Simscan configuration

used in all configurations

PASS SPAM

This state is entered when a message is considered spam by spamassassin, but we pass it on because spam_hits is set to a higher value.

ACTIONINFO

 PASS SPAM:pid:spam-level:subject

pid 

pid of the qmail-queue used to pass the message on

spam-level 

spamassassins spam-level

Simscan configuration

• --enable-spam-passthru=y
• --enable-spam=y
• value of spam-hits variable
  • --enable-spam-hits=NUM
  • per-domain spam_hits value

REJECT SPAM

state that shows that spam has been rejected.

ACTIONINFO

 REJECT SPAM:spam-level

spam-level 

spamassassins spam-level for the message

Simscan configuration

• --enable-spam-passthru=n

and

• --enable-spam-passthru=n

or

• --enable-spam-passthru=y
• value of spam-hits variable < spam-level
  • --enable-spam-hits=NUM
  • per-domain spam_hits value

and NOT

• --enable-quarantinedir=

REJECT VIRUS

the message contained a virus.

ACTIONINFO

 REJECT VIRUS:scanner:virusname

scanner 

which scanner found the virus (clamav/trophie so far)

virusname 

the name of the virus

Simscan configuration

one of

• --enable-clamav=y
• --enable-trophie-socket=y

and NOT

• --enable-quarantinedir=

REJECT ATTACH

The message contained a forbidden attachment and was blocked

ACTIONINFO

 REJECT ATTACH:attachment-type:filename

attachment-type 

the match becaus it was blocked

filename 

the filename in the message that was blocked

Simscan configuration

• --enable-attach=y
• and attachment in /etc/qmail/ssattach.cdb

or

• --enable-attach=y
• --enable-per-domain=y
• and attach= in /etc/qmail/simcontrol.cdb

REJECT REGEX

The mail was blocked because it matched a regular expression

ACTIONINFO

 REJECT REGEX:regex-num:regex

regex-num 

the regex-number that matched

regex 

the matching regex itself

Simscan configuration

• --enable-regex=y
• --enable-per-domain=y
• and regex= in /etc/qmail/simcontrol.cdb

QUARANTINE ...

I need to look into the quarantining before deciding on the states

ACTIONINFO

Simscan configuration

DROP VIRUS

The email contained a virus and was silently dropped (BAD!)

ACTIONINFO

Analog to state: REJECT VIRUS

Simscan configuration

analog to state: REJECT VIRUS and

• --enable-dropmsg=y

ACTION TMPL

ACTIONINFO

Simscan configuration