Mark Martinec wrote:
Matt,
I'm using amavis-stats to get a nice graph of all mails....
Probably it isn't able to distinguish like that...
That's why I'd love to get rid of the banned logs if a virus is found.
Or in other words: if the virus check doesn't find anything, THEN do
banned checks.. That would be the best for me.. But I guess it isn't
possible to 'reorder' those things easily?
I don't really know to what you are referring.
Here is an example from my log (2.3.3)
for a message, that was both infected and had a banned content:
amavis[3635]: (03635-07) Blocked INFECTED (W32/Netsky-Q),
[...] [...] <...> -> <...>, quarantine: virus/5/59g3j+78tdeQ,
Message-ID: <[EMAIL PROTECTED]>, mail_id: 59g3j+78tdeQ,
It only says INFECTED, it doesn't mention banned (although at higher log level
it is evident that banned was triggered too). Fix the log analyzer.
Well it depends on the virus of course.... For example mytob uses a
scheme which triggers banning aswell....
Dec 8 23:08:27 www.mindblow.ch /usr/sbin/amavisd[3599]: (03599-06)
p.path BANNED:1 [EMAIL PROTECTED]: "P=p003,L=1,M=multipart/mixed |
P=p002,L=1/2,M=application/octet-stream,T=zip,N=readme.zip |
P=p004,L=1/2/1,T=exe,N=readme.doc
.scr",
matching_key="(?i-xsm:\\.[^./]*[A-Za-z][^./]*\\.(exe|vbs|pif|lnk|scr|bat|cmd|com|cpl|dll)\\.?$)"
Dec 8 23:08:27 www.mindblow.ch /usr/sbin/amavisd[3599]: (03599-06)
Blocked INFECTED (Worm.Mytob.CV), [x.x.x.x] <[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]>, quarantine:
virus/virus-20051208-230827-03599-06.gz, Message-ID:
<[EMAIL PROTECTED]>, mail_id: ZegWCdHVJFHZ,
Hits: -, 425 ms
I noticed there seem to be two different kinds of BANNED...
p.path BANNED
Blocked BANNED
might it be that p.path suggests this is like a supplemental result that
was encountered on the final path or something like that?
it apears the p.path BANNED only appers when a virus was triggered
afterwards... ?
Thanks for your help
Matt
I'm now also trying to lower my log level from 2 to 1, maybe that helps
too.. i'll see.
-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
_______________________________________________
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/
