On Tue, 2009-11-24 at 08:06 -0500, Ken Campney wrote:
> G.W. Haywood wrote:
> > Hi there,
> >
> > On Tue, 24 Nov 2009 Ken Campney wrote:
> >
> >
> >> What I'm trying to do is log message virus statistics either to a
> >> database or log file ...
> >>
> >
> > Grab syslog-ng, it can do anything you need of that nature.
> >
> >
> >> I can't use the maillog because the destination isn't logged
> >>
> >
> > Er, what MTA are you using? I don't know of one that can't log what
> > you need.
> >
> The MTA is Sendmail, and mail logging works just fine except for
> messages where an infection is found.
>
> I"m thinking the logging issue is due to clamav-milter which is why I'm
> posting to this list.
>
> Running cat /var/log/maillog | grep Infected I get:
> Nov 24 05:42:09 myserver sm-mta[22365]: nAOAg8uf022365: Milter add:
> header: X-Virus-Status: Infected (Phishing.Heuristics.Email.SSL-Spoof)
>
> Running cat /var/log/maillog | grep nAOAg8uf022365 I get:
> Nov 24 05:42:09 myserver sm-mta[22365]: nAOAg8uf022365:
> from=<u...@somedomain.com>, size=27436, class=0,
> nrcpts=1,msgid=<de.8c.15584.978bb...@prs>, bodytype=8BITMIME,
> proto=ESMTP, daemon=MTA, relay=somedomain.net [xxx.xxx.xx.xxx]
> Nov 24 05:42:09 myserver sm-mta[22365]: nAOAg8uf022365: Milter add:
> header: X-Virus-Scanned: clamav-milter 0.95.3 at myserver
> Nov 24 05:42:09 myserver sm-mta[22365]: nAOAg8uf022365: Milter add:
> header: X-Virus-Status: Infected (Phishing.Heuristics.Email.SSL-Spoof)
> Nov 24 05:42:09 myserver sm-mta[22365]: nAOAg8uf022365: Milter: data,
> discard
> Nov 24 05:42:09 myserver sm-mta[22365]: nAOAg8uf022365: discarded
>
> Clamav-milter.log has:
> Message from <u...@somedomain.com> to <JoeK> infected by
> Phishing.Heuristics.Email.SSL-Spoof
>
> As you can see there is no destination logged when a infection is
> processed.
> My guess this is because its not being delivered. Which would explain
> why the clamav-milter.log has the intended "local" delivery address.
> Unfortunately I'm needing the Envelope Recipient
>
> Ken
>
>
> > --
> >
> > 73,
> > Ged.
> > _______________________________________________
> > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> > http://www.clamav.net/support/ml
> >
> >
>
>
That's unlucky. Using Postfix with the clam-av milter it obliges with:
Nov 23 08:41:02 inbound/cleanup[15078]: 305E0AD108: milter-reject:
END-OF-MESSAGE from 93-41-51-175.ip80.fastwebnet.it[93.41.51.175]: 5.7.1
Virus Found; from=<alighting...@rancon.com> to=<....@....com> proto=ESMTP
helo=<93-41-51-175.ip80.fastwebnet.it>
All that is missing, is the year :-) {trivial to add....}
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
