Matt, > >amavis[3635]: (03635-07) Blocked INFECTED (W32/Netsky-Q), > >It only says INFECTED, it doesn't mention banned (although at higher log > > level it is evident that banned was triggered too). Fix the log analyzer.
> Well it depends on the virus of course.... For example mytob uses a > scheme which triggers banning aswell.... > > Dec 8 23:08:27 www.mindblow.ch /usr/sbin/amavisd[3599]: (03599-06) > p.path BANNED:1 [EMAIL PROTECTED]: "P=p003,L=1,M=multipart/mixed | > P=p002,L=1/2,M=application/octet-stream,T=zip,N=readme.zip | > P=p004,L=1/2/1,T=exe,N=readme.doc > .scr", > matching_key="(?i-xsm:\\.[^./]*[A-Za-z][^./]*\\.(exe|vbs|pif|lnk|scr|bat|cm >d|com|cpl|dll)\\.?$)" Dec 8 23:08:27 www.mindblow.ch > /usr/sbin/amavisd[3599]: (03599-06) Blocked INFECTED (Worm.Mytob.CV), > [x.x.x.x] <[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]>, quarantine: > virus/virus-20051208-230827-03599-06.gz, Message-ID: > <[EMAIL PROTECTED]>, mail_id: ZegWCdHVJFHZ, > Hits: -, 425 ms > > I noticed there seem to be two different kinds of BANNED... > p.path BANNED > Blocked BANNED > > might it be that p.path suggests this is like a supplemental result that > was encountered on the final path or something like that? Exactly, it is a supplemental result, a debugging log entry. At arbitrarily high log level you may encounter all sorts of log messages, and the only promise I make about these is that they won't start with Passed XXX or Blocked XXX. If a log parser is sloppy and uses low level debug log entries for counting, you are counting the same message multiple times. The ONLY dependable message that should be used by a log parser for counting and classification is the one which is always issued at log level 0, i.e. the Passed XXX or Blocked XXX. It will always indicate the final verdict on mail contents. > I'm now also trying to lower my log level from 2 to 1, maybe that helps > too.. i'll see. It will probably help, but ultimately the log parser needs to be fixed. Mark ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click _______________________________________________ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
