Simscan/Logging

From Qmailwiki

Contents 1 Current Logging in Simscan 1.1 STATE 1.2 SUBJECT 1.3 SENDERIP 2 Wishlist 3 Future logging proposal 3.1 ACTIONS 3.1.1 PASS 3.1.1.1 ACTIONINFO 3.1.1.2 Simscan configuration 3.1.2 PASS SPAM 3.1.2.1 ACTIONINFO 3.1.2.2 Simscan configuration 3.1.3 REJECT SPAM 3.1.3.1 ACTIONINFO 3.1.3.2 Simscan configuration 3.1.4 REJECT VIRUS 3.1.4.1 ACTIONINFO 3.1.4.2 Simscan configuration 3.1.5 REJECT ATTACH 3.1.5.1 ACTIONINFO 3.1.5.2 Simscan configuration 3.1.6 REJECT REGEX 3.1.6.1 ACTIONINFO 3.1.6.2 Simscan configuration 3.1.7 QUARANTINE ... 3.1.7.1 ACTIONINFO 3.1.7.2 Simscan configuration 3.1.8 DROP VIRUS 3.1.8.1 ACTIONINFO 3.1.8.2 Simscan configuration 3.1.9 ACTION TMPL 3.1.9.1 ACTIONINFO 3.1.9.2 Simscan configuration

[edit] Current Logging in Simscan

Logging in simscan is to be defined here. Currently most logging lines look like this

 simscan:[PID]:STATE:SUBJECT:SENDERIP:SENDERADDR:RCPTTOADDR

[edit] STATE

• VIRUS: virus
• VIRUS DROPPED: virus sliently dropped
• CLEAN: message passed spamassassin
• SPAM PASS: spam-level too low to bounce
• SPAM REJECT: spam-level high enough to bounce
• SPAM PASSTHRU: spam-level message but configured to pass through to user
• SPAM DROPPED: spam-level message sliently dropped
• REGEX: message matched a regex expression
• ATTACH: message matched an extension

[edit] SUBJECT

• State VIRUS, VIRUS DROPPED: Virus-Name
• State CLEAN, SPAM PASS, SPAM REJECT, SPAM PASSTHRU, SPAM DROPPED: Email subject
• State ATTACH: Attachment name
• State REGEX: Regex pattern number

[edit] SENDERIP

• IP of sender
• With IPv6 addresses the format is broken because : are used for the address

[edit] Wishlist

• Spam-Points on SPAM PASS or SPAM REJECT
• for virus, the scanner should be logged (trophie/sophie/clamav)
• More statistics
  • Processing time?
  • bytes?
• easy processing for statistics-generating...

please comment...

[edit] Future logging proposal

 simscan[PID]:REMOTEIP:RCPTS:TTP:MODULES:ACTION:ACTIONINFO

The idea is the have the first part (up to ACTION) stay the same and make the ACTIONINFO part dependent on the chosen action.

PID 

The pid is the pid of the simscan proccess

REMOTEIP 

The remoteip is the IP of the sender. Colons ":" get replaced by "," (ipv6). If this information is not available it is set to "(null)"

RCPTS 

the recipients of the mail, seperated by commas.

TTP 

TimeToProcess, is the time is seconds that simscan needed to process the message. 1.1234 is the format.

MODULES 

lists the modules used to scan this message, separated by commas. Looks like: modulename(tts[,version][,info])

• modulename is the name of the scanning module
• tts is the time this module took to scan in seconds. 1.1234 is the format.
• version is the version of the module. only if available (--enable-received)
• info is additional info. for example the user for spamassassin

[edit] ACTIONS

[edit] PASS

We are in this state when the message passed through simscan without any problems

[edit] ACTIONINFO

 PASS:pid

pid 

pid of the qmail-queue used to pass the message on

[edit] Simscan configuration

used in all configurations

[edit] PASS SPAM

This state is entered when a message is considered spam by spamassassin, but we pass it on because spam_hits is set to a higher value.

[edit] ACTIONINFO

 PASS SPAM:pid:spam-level:subject

pid 

pid of the qmail-queue used to pass the message on

spam-level 

spamassassins spam-level

[edit] Simscan configuration

• --enable-spam-passthru=y
• --enable-spam=y
• value of spam-hits variable
  • --enable-spam-hits=NUM
  • per-domain spam_hits value

[edit] REJECT SPAM

state that shows that spam has been rejected.

[edit] ACTIONINFO

 REJECT SPAM:spam-level

spam-level 

spamassassins spam-level for the message

[edit] Simscan configuration

• --enable-spam-passthru=n

and

• --enable-spam-passthru=n

or

• --enable-spam-passthru=y
• value of spam-hits variable < spam-level
  • --enable-spam-hits=NUM
  • per-domain spam_hits value

and NOT

• --enable-quarantinedir=

[edit] REJECT VIRUS

the message contained a virus.

[edit] ACTIONINFO

 REJECT VIRUS:scanner:virusname

scanner 

which scanner found the virus (clamav/trophie so far)

virusname 

the name of the virus

[edit] Simscan configuration

one of

• --enable-clamav=y
• --enable-trophie-socket=y

and NOT

• --enable-quarantinedir=

[edit] REJECT ATTACH

The message contained a forbidden attachment and was blocked

[edit] ACTIONINFO

 REJECT ATTACH:attachment-type:filename

attachment-type 

the match becaus it was blocked

filename 

the filename in the message that was blocked

[edit] Simscan configuration

• --enable-attach=y
• and attachment in /etc/qmail/ssattach.cdb

or

• --enable-attach=y
• --enable-per-domain=y
• and attach= in /etc/qmail/simcontrol.cdb

[edit] REJECT REGEX

The mail was blocked because it matched a regular expression

[edit] ACTIONINFO

 REJECT REGEX:regex-num:regex

regex-num 

the regex-number that matched

regex 

the matching regex itself

[edit] Simscan configuration

• --enable-regex=y
• --enable-per-domain=y
• and regex= in /etc/qmail/simcontrol.cdb

[edit] QUARANTINE ...

I need to look into the quarantining before deciding on the states

[edit] ACTIONINFO

[edit] Simscan configuration

[edit] DROP VIRUS

The email contained a virus and was silently dropped (BAD!)

[edit] ACTIONINFO

Analog to state: REJECT VIRUS

[edit] Simscan configuration

analog to state: REJECT VIRUS and

• --enable-dropmsg=y

[edit] ACTION TMPL

[edit] ACTIONINFO

[edit] Simscan configuration