how to keep/add sender IP in Amavisd antivirus "INFECTED" discard notice?
Mark Martinec
Mark.Martinec+amavis at ijs.si
Wed Apr 27 02:02:09 CEST 2016
Jason,
> I have Amavis set up to do A/V scanning as a prequeue filter.
>
> It's configured to DISCARD virus-tagged content.
>
> It works , detecting + discard as intended.
>
> I want to run fail2ban over the logs to identify the IP of the Virus
> sender, and set a firewall block for awhile.
>
> But if you look at the log for the amavis rejection message sent to
> postfix, it does NOT have the IP address.
>
> Apr 11 04:24:08 mail01 postfix/postscreen[7312]: CONNECT from
> [104.44.131.209]:1024 to [192.0.1.17]:25
> Apr 11 04:24:14 mail01 postfix/postscreen[7312]: PASS NEW
> [104.44.131.209]:1024
> Apr 11 04:24:14 mail01 postfix/psint/smtpd[7319]: connect from
> ldoquy20.cloudapp.net[104.44.131.209]
> Apr 11 04:24:15 mail01 postfix/psint/smtpd[7319]: NOQUEUE:
> client=ldoquy20.cloudapp.net[104.44.131.209]
> Apr 11 04:24:15 mail01 postfix/amavis/smtpd[7326]: connect from
> localhost[127.0.0.1]
> Apr 11 04:24:15 mail01 postfix/amavis/smtpd[7326]: 4ql0LCJHvGz3J39:
> client=localhost[127.0.0.1]
> Apr 11 04:24:15 mail01 postfix/cleanup[7327]: 4ql0LCJHvGz3J39:
> message-id=<XACREbkS52aLiD at mail01.example.com>
> Apr 11 04:24:16 mail01 postfix/qmgr[20856]: 4ql0LCJHvGz3J39:
> from=<postmaster at mail01.example.com>, size=3301, nrcpt=1 (queue
> active)
>>> Apr 11 04:24:16 mail01 postfix/psint/smtpd[7319]: proxy-accept:
>>> END-OF-MESSAGE: 250 2.7.0 Ok, discarded, id=06097-01 - INFECTED:
>>> Porcupine.Malware.36603.UNOFFICIAL;
>>> from=<www-data at ldoquy20.cloudapp.net> to=<exampleme at example.com>
>>> proto=ESMTP helo=<ldoquy20.cloudapp.net>
> Apr 11 04:24:16 mail01 postfix/psint/smtpd[7319]: disconnect from
> ldoquy20.cloudapp.net[104.44.131.209] ehlo=1 mail=1 rcpt=1 data=1
> quit=1 commands=5
>
> How do I add the virus sender's IP into that " ... INFECTED: ..."
> Amavisd message ?
Try:
$smtp_reason_by_ccat{&CC_VIRUS} = 'id=%n, [:ip_trace_public] -
INFECTED: %V';
$smtp_reason_by_ccat{&CC_SPAM} = 'id=%n, [:ip_trace_public] - spam';
or:
$smtp_reason_by_ccat{&CC_VIRUS} = 'id=%n, %a - INFECTED: %V';
$smtp_reason_by_ccat{&CC_SPAM} = 'id=%n, %a - spam';
See README.customize for what macros like %a or ip_trace_public provide.
If you are happy with the result, consider changing the entire
%smtp_reason_by_ccat.
It's default is:
%smtp_reason_by_ccat = (
# currently only used for blocked messages only, status 5xx
# a multiline message will produce a valid multiline SMTP response
CC_VIRUS, 'id=%n - INFECTED: %V',
CC_BANNED, 'id=%n - BANNED: %F',
CC_UNCHECKED.',1', 'id=%n - UNCHECKED: encrypted',
CC_UNCHECKED.',2', 'id=%n - UNCHECKED: over limits',
CC_UNCHECKED, 'id=%n - UNCHECKED',
CC_SPAM, 'id=%n - spam',
CC_SPAMMY.',1', 'id=%n - spammy (tag3)',
CC_SPAMMY, 'id=%n - spammy',
CC_BADH.',1', 'id=%n - BAD HEADER: MIME error',
CC_BADH.',2', 'id=%n - BAD HEADER: nonencoded 8-bit character',
CC_BADH.',3', 'id=%n - BAD HEADER: contains invalid control
character',
CC_BADH.',4', 'id=%n - BAD HEADER: line made up entirely of
whitespace',
CC_BADH.',5', 'id=%n - BAD HEADER: line longer than RFC 5322
limit',
CC_BADH.',6', 'id=%n - BAD HEADER: syntax error',
CC_BADH.',7', 'id=%n - BAD HEADER: missing required header field',
CC_BADH.',8', 'id=%n - BAD HEADER: duplicate header field',
CC_BADH, 'id=%n - BAD HEADER',
CC_OVERSIZED, 'id=%n - Message size exceeds recipient\'s size
limit',
CC_MTA.',1', 'id=%n - Temporary MTA failure on relaying',
CC_MTA.',2', 'id=%n - Rejected by next-hop MTA on relaying',
CC_MTA, 'id=%n - Unable to relay message back to MTA',
CC_CLEAN, 'id=%n - CLEAN',
CC_CATCHALL, 'id=%n - OTHER', # should not happen
);
Mark
More information about the amavis-users
mailing list