I have Amavis set up to do A/V scanning as a prequeue filter.
It's configured to DISCARD virus-tagged content.
It works , detecting + discard as intended.
I want to run fail2ban over the logs to identify the IP of the Virus sender,
and set a firewall block for awhile.
But if you look at the log for the amavis rejection message sent to postfix, it
does NOT have the IP address.
Apr 11 04:24:08 mail01 postfix/postscreen[7312]: CONNECT from
[104.44.131.209]:1024 to [192.0.1.17]:25
Apr 11 04:24:14 mail01 postfix/postscreen[7312]: PASS NEW
[104.44.131.209]:1024
Apr 11 04:24:14 mail01 postfix/psint/smtpd[7319]: connect from
ldoquy20.cloudapp.net[104.44.131.209]
Apr 11 04:24:15 mail01 postfix/psint/smtpd[7319]: NOQUEUE:
client=ldoquy20.cloudapp.net[104.44.131.209]
Apr 11 04:24:15 mail01 postfix/amavis/smtpd[7326]: connect from
localhost[127.0.0.1]
Apr 11 04:24:15 mail01 postfix/amavis/smtpd[7326]: 4ql0LCJHvGz3J39:
client=localhost[127.0.0.1]
Apr 11 04:24:15 mail01 postfix/cleanup[7327]: 4ql0LCJHvGz3J39:
message-id=<[email protected]>
Apr 11 04:24:16 mail01 postfix/qmgr[20856]: 4ql0LCJHvGz3J39:
from=<[email protected]>, size=3301, nrcpt=1 (queue active)
>> Apr 11 04:24:16 mail01 postfix/psint/smtpd[7319]: proxy-accept:
>> END-OF-MESSAGE: 250 2.7.0 Ok, discarded, id=06097-01 - INFECTED:
>> Porcupine.Malware.36603.UNOFFICIAL; from=<[email protected]>
>> to=<[email protected]> proto=ESMTP helo=<ldoquy20.cloudapp.net>
Apr 11 04:24:16 mail01 postfix/psint/smtpd[7319]: disconnect from
ldoquy20.cloudapp.net[104.44.131.209] ehlo=1 mail=1 rcpt=1 data=1 quit=1
commands=5
How do I add the virus sender's IP into that " ... INFECTED: ..." Amavisd
message ?
Jason
