Bug#336558: logcheck-database: better spamd rules

Sun, 12 Feb 2006 13:48:38 -0800 

tags 336558 pending
thanks

On 11 Nov 2005, at 22:14, Russ Allbery wrote:
Here's some additional information on the spamd rules and a try at a more restrictive rule. It's hard to get a good restrictive rule written, since on the spam detection rules, spamd puts basically arbitrary key=value pairs 
into the log.

<snip>

and the patch is attached.



Thanks for the patch, I've gone through all the messages in this bug  
and come up with some rules which match all of them.. at least until  
they get changed all over again. The rules for spamd are now:


[violations.ignore.d/logcheck-spamd]

^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: Cannot open bayes  
databases /home/[_[:alnum:]-]+/.spamassassin/bayes_\* R/W: lock  
failed: File exists$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: failed sanity  
check, [0-9]+ bytes claimed, [0-9-]+ bytes seen$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: (spamd: )? 
(checking|processing) message <[^[:space:]]+> for [._[:alnum:]-]+: 
[0-9]+(\.)?$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: (spamd: )?result:  
(.|Y|N) [ [:digit:]-]+ - [._[:alnum:],]+ scantime=[0-9.]+,size=[0-9]+, 
(user=[a-z]+,uid=[0-9]+,required_score=[0-9.]+,rhost=[._[:alnum:]-] 
+,raddr=[0-9.]+,rport=[0-9]+,)?mid=<[^[:space:]]+>,(bayes=(0|1),)? 
autolearn=(ham|spam|no)$


[ignore.d.server/spamd]

^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: (spamd: )? 
connection from [._[:alnum:]-]+ \[[\.[:digit:]]+\] at port [0-9]+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: (spamd: )? 
(info: )?setuid to [[:alnum:]-]+ succeeded$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: (spamd: )?clean  
message \([0-9.-]+/[0-9.]+\) for [._[:alnum:]-]+:[0-9]+ in [0-9.]+  
seconds, [0-9]+ bytes\.$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: (spamd: )? 
identified spam \([0-9.-]+/[0-9.]+\) for [._[:alnum:]-]+:[0-9]+ in  
[0-9.]+ seconds, [0-9]+ bytes\.$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: prefork: child  
states: I+$



The modifications will be included in the next release, which should  
be within the next 1-2 weeks.


Thanks,

--
-Jamie L. Penman-Smithson <[EMAIL PROTECTED]>
 t: +44 1273 424795; f: +44 1273 424795
 PGP: C0A7 955E EED6 A309 23D7 863B C76A 26A3 F0DC FCA8
 never send mail to: [EMAIL PROTECTED]





Attachment:
PGP.sig

Description: This is a digitally signed message part














    











					Reply via email to