lists wrote:
On Tue, 2009-11-24 at 08:06 -0500, Ken Campney wrote:
G.W. Haywood wrote:
Hi there,
On Tue, 24 Nov 2009 Ken Campney wrote:
What I'm trying to do is log message virus statistics either to a
database or log file ...
Grab syslog-ng, it can do anything you need of that nature.
I can't use the maillog because the destination isn't logged
Er, what MTA are you using? I don't know of one that can't log what
you need.
The MTA is Sendmail, and mail logging works just fine except for
messages where an infection is found.
I"m thinking the logging issue is due to clamav-milter which is why I'm
posting to this list.
Running cat /var/log/maillog | grep Infected I get:
Nov 24 05:42:09 myserver sm-mta[22365]: nAOAg8uf022365: Milter add:
header: X-Virus-Status: Infected (Phishing.Heuristics.Email.SSL-Spoof)
Running cat /var/log/maillog | grep nAOAg8uf022365 I get:
Nov 24 05:42:09 myserver sm-mta[22365]: nAOAg8uf022365:
from=<u...@somedomain.com>, size=27436, class=0,
nrcpts=1,msgid=<de.8c.15584.978bb...@prs>, bodytype=8BITMIME,
proto=ESMTP, daemon=MTA, relay=somedomain.net [xxx.xxx.xx.xxx]
Nov 24 05:42:09 myserver sm-mta[22365]: nAOAg8uf022365: Milter add:
header: X-Virus-Scanned: clamav-milter 0.95.3 at myserver
Nov 24 05:42:09 myserver sm-mta[22365]: nAOAg8uf022365: Milter add:
header: X-Virus-Status: Infected (Phishing.Heuristics.Email.SSL-Spoof)
Nov 24 05:42:09 myserver sm-mta[22365]: nAOAg8uf022365: Milter: data,
discard
Nov 24 05:42:09 myserver sm-mta[22365]: nAOAg8uf022365: discarded
Clamav-milter.log has:
Message from <u...@somedomain.com> to <JoeK> infected by
Phishing.Heuristics.Email.SSL-Spoof
As you can see there is no destination logged when a infection is
processed.
My guess this is because its not being delivered. Which would explain
why the clamav-milter.log has the intended "local" delivery address.
Unfortunately I'm needing the Envelope Recipient
Ken
--
73,
Ged.
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
That's unlucky. Using Postfix with the clam-av milter it obliges with:
Nov 23 08:41:02 inbound/cleanup[15078]: 305E0AD108: milter-reject:
END-OF-MESSAGE from 93-41-51-175.ip80.fastwebnet.it[93.41.51.175]: 5.7.1
Virus Found; from=<alighting...@rancon.com> to=<....@....com> proto=ESMTP
helo=<93-41-51-175.ip80.fastwebnet.it>
All that is missing, is the year :-) {trivial to add....}
Annoying is more like it heh
Actually using the OnInfected setting of "Reject" rather than Blackhole
or Quarantine does provide the envelope recipient (to=<....@...com>) in
the maillog (though clamav-milter.log still records local names regardless.
The missing information in maillog now defiantly appears to be directly
related to using Blackhole or Quarantine. Bug??
Ken
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
