how to keep/add sender IP in Amavisd antivirus "INFECTED" discard notice?
jasonsu at mail-central.com
jasonsu at mail-central.com
Wed Apr 13 15:44:34 CEST 2016
I have Amavis set up to do A/V scanning as a prequeue filter.
It's configured to DISCARD virus-tagged content.
It works , detecting + discard as intended.
I want to run fail2ban over the logs to identify the IP of the Virus sender, and set a firewall block for awhile.
But if you look at the log for the amavis rejection message sent to postfix, it does NOT have the IP address.
Apr 11 04:24:08 mail01 postfix/postscreen[7312]: CONNECT from [104.44.131.209]:1024 to [192.0.1.17]:25
Apr 11 04:24:14 mail01 postfix/postscreen[7312]: PASS NEW [104.44.131.209]:1024
Apr 11 04:24:14 mail01 postfix/psint/smtpd[7319]: connect from ldoquy20.cloudapp.net[104.44.131.209]
Apr 11 04:24:15 mail01 postfix/psint/smtpd[7319]: NOQUEUE: client=ldoquy20.cloudapp.net[104.44.131.209]
Apr 11 04:24:15 mail01 postfix/amavis/smtpd[7326]: connect from localhost[127.0.0.1]
Apr 11 04:24:15 mail01 postfix/amavis/smtpd[7326]: 4ql0LCJHvGz3J39: client=localhost[127.0.0.1]
Apr 11 04:24:15 mail01 postfix/cleanup[7327]: 4ql0LCJHvGz3J39: message-id=<XACREbkS52aLiD at mail01.example.com>
Apr 11 04:24:16 mail01 postfix/qmgr[20856]: 4ql0LCJHvGz3J39: from=<postmaster at mail01.example.com>, size=3301, nrcpt=1 (queue active)
>> Apr 11 04:24:16 mail01 postfix/psint/smtpd[7319]: proxy-accept: END-OF-MESSAGE: 250 2.7.0 Ok, discarded, id=06097-01 - INFECTED: Porcupine.Malware.36603.UNOFFICIAL; from=<www-data at ldoquy20.cloudapp.net> to=<exampleme at example.com> proto=ESMTP helo=<ldoquy20.cloudapp.net>
Apr 11 04:24:16 mail01 postfix/psint/smtpd[7319]: disconnect from ldoquy20.cloudapp.net[104.44.131.209] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
How do I add the virus sender's IP into that " ... INFECTED: ..." Amavisd message ?
Jason
More information about the amavis-users
mailing list