Simscan/Logging
(Deleted spam links) |
|||
(One intermediate revision by one user not shown) | |||
Line 1: | Line 1: | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
== Wishlist == | == Wishlist == | ||
* Spam-Points on SPAM PASS or SPAM REJECT | * Spam-Points on SPAM PASS or SPAM REJECT |
Latest revision as of 09:43, 16 January 2009
Contents |
Wishlist
- Spam-Points on SPAM PASS or SPAM REJECT
- for virus, the scanner should be logged (trophie/sophie/clamav)
- More statistics
- Processing time?
- bytes?
- easy processing for statistics-generating...
please comment...
Future logging proposal
simscan[PID]:REMOTEIP:RCPTS:TTP:MODULES:ACTION:ACTIONINFO
The idea is the have the first part (up to ACTION) stay the same and make the ACTIONINFO part dependent on the chosen action.
- PID
- The pid is the pid of the simscan proccess
- REMOTEIP
- The remoteip is the IP of the sender. Colons ":" get replaced by "," (ipv6). If this information is not available it is set to "(null)"
- RCPTS
- the recipients of the mail, seperated by commas.
- TTP
- TimeToProcess, is the time is seconds that simscan needed to process the message. 1.1234 is the format.
- MODULES
- lists the modules used to scan this message, separated by commas. Looks like: modulename(tts[,version][,info])
- modulename is the name of the scanning module
- tts is the time this module took to scan in seconds. 1.1234 is the format.
- version is the version of the module. only if available (--enable-received)
- info is additional info. for example the user for spamassassin
ACTIONS
PASS
We are in this state when the message passed through simscan without any problems
ACTIONINFO
PASS:pid
- pid
- pid of the qmail-queue used to pass the message on
Simscan configuration
used in all configurations
PASS SPAM
This state is entered when a message is considered spam by spamassassin, but we pass it on because spam_hits is set to a higher value.
ACTIONINFO
PASS SPAM:pid:spam-level:subject
- pid
- pid of the qmail-queue used to pass the message on
- spam-level
- spamassassins spam-level
Simscan configuration
- --enable-spam-passthru=y
- --enable-spam=y
- value of spam-hits variable
- --enable-spam-hits=NUM
- per-domain spam_hits value
REJECT SPAM
state that shows that spam has been rejected.
ACTIONINFO
REJECT SPAM:spam-level
- spam-level
- spamassassins spam-level for the message
Simscan configuration
- --enable-spam-passthru=n
and
- --enable-spam-passthru=n
or
- --enable-spam-passthru=y
- value of spam-hits variable < spam-level
- --enable-spam-hits=NUM
- per-domain spam_hits value
and NOT
- --enable-quarantinedir=
REJECT VIRUS
the message contained a virus.
ACTIONINFO
REJECT VIRUS:scanner:virusname
- scanner
- which scanner found the virus (clamav/trophie so far)
- virusname
- the name of the virus
Simscan configuration
one of
- --enable-clamav=y
- --enable-trophie-socket=y
and NOT
- --enable-quarantinedir=
REJECT ATTACH
The message contained a forbidden attachment and was blocked
ACTIONINFO
REJECT ATTACH:attachment-type:filename
- attachment-type
- the match becaus it was blocked
- filename
- the filename in the message that was blocked
Simscan configuration
- --enable-attach=y
- and attachment in /etc/qmail/ssattach.cdb
or
- --enable-attach=y
- --enable-per-domain=y
- and attach= in /etc/qmail/simcontrol.cdb
REJECT REGEX
The mail was blocked because it matched a regular expression
ACTIONINFO
REJECT REGEX:regex-num:regex
- regex-num
- the regex-number that matched
- regex
- the matching regex itself
Simscan configuration
- --enable-regex=y
- --enable-per-domain=y
- and regex= in /etc/qmail/simcontrol.cdb
QUARANTINE ...
I need to look into the quarantining before deciding on the states
ACTIONINFO
Simscan configuration
DROP VIRUS
The email contained a virus and was silently dropped (BAD!)
ACTIONINFO
Analog to state: REJECT VIRUS
Simscan configuration
analog to state: REJECT VIRUS and
- --enable-dropmsg=y