I did a little hacking in the qmail-scanner-queue.pl file.
I've now got Q-S creating the quarantine.log file inserting the source
IP of an email between the date and sender info. See the $report= line
in the write_quarantine_report sub for the exact format.
Maybe this is what we're looking for, maybe not. It doesn't corelate
the tcpserver log with Q-S but it does pull that info from the headers,
and in my situation where the tcpserver log that I'd need is on a
different server, this seems to work pretty well.
Maybe someone has some feedback on this, or could maybe clean up what
I've written. My knowledge of perl is pretty limited and the regex I'm
using for extracting the ip is pretty weak. Maybe someone who knows Q-S
better could offer some more insight to clean this hack up a bit.
The 3 changes I made in our setup were as follows:
Line ~337:
my (%rcvdheaders );
my (%headers );
Line ~511:
} elsif ($hdr =~
/^(from|x-mail|User-Agent|Organi|Received|Message-ID|Subject)/i &&
$headers{tolower($hdr)}) {
#Make sure any multiples of these headers are remembered, so
that
#perlscanner checks can see all instances - just wrap em up
#into one long line
$headers{tolower($hdr)} .= " $value";
$rcvdheaders{tolower($hdr)}=$value;
} else {
Line ~1209:
sub write_quarantine_report {
my ($temp,$desc,$report,$subj,$received,$item);
$subj=$headers{'subject'};
$subj=~s/\t/ /g;
$desc=$quarantine_description;
$desc=~s/\n\t/ /g;
$received=$rcvdheaders{'received'};
my @ip = $received =~ m/[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+/g;
$report =
"$nowtime\t$ip[0]\t$returnpath\t$recips\t$subj\t$desc\t$SCANINFO\n";
print "$report\n";
open(QUARANTINELOG,">>$scandir/$quarantinelog");
print QUARANTINELOG $report;
close QUARANTINELOG;
&debug("w_v_r: writing quarantine log report of: $report");
}
The output of a diff:
[EMAIL PROTECTED] bin]# diff qmail-scanner-queue.pl qmail-scanner-queue.pl.orig
337d336
< my (%rcvdheaders );
511d509
< $rcvdheaders{tolower($hdr)}=$value;
1204c1202
< my ($temp,$desc,$report,$subj,$received,$item);
---
> my ($temp,$desc,$report,$subj,$received);
1209,1212c1207,1208
< $received=$rcvdheaders{'received'};
< my @ip = $received =~ m/[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+/g;
< $report =
"$nowtime\t$ip[0]\t$returnpath\t$recips\t$subj\t$desc\t$SCANINFO\n";
< print "$report\n";
---
> $received=$headers{'Received'};
> $report =
"$nowtime\t$received\t$returnpath\t$recips\t$subj\t$desc\t$SCANINFO\n";
Cheers
/jon
> On Tue, Sep 30, 2003 at 02:07:53PM -0400, Jesse Guardiani wrote:
>> Yeah, great. I know it came from a local network. But what IP
address?
>> What user? I can't answer those questions without an IP address/host
>> name.
>
> Why are you making this Q-S problem???
>
> You can do what you want right now! Look at your Qmail logs - they
> have ALWAYS logged such detail.
Perhaps you could walk me through the backtracing process then? I seem
to have difficulty correlating messages in the Q-S logs with messages in
the tcpserver log because Qmail doesn't use any sort of unique message
identifier.
Maybe you know something I don't?
--
Jesse Guardiani, Systems Administrator
WingNET Internet Services,
P.O. Box 2605 // Cleveland, TN 37320-2605 423-559-LINK (v) 423-559-5145
(f) http://www.wingnet.net
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Qmail-scanner-general mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Qmail-scanner-general mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general
