From f0831fa2dfbde8c3e0cfcd201014e1e10fe79bf1 Mon Sep 17 00:00:00 2001 From: Darold Gilles Date: Sun, 10 Mar 2013 18:05:00 +0100 Subject: [PATCH] Fix case where amavis spam details was not collected. Thanks to grufo for the report. --- sendmailanalyzer | 111 ++++++++++++++++++++++++++++++++++------------- 1 file changed, 82 insertions(+), 29 deletions(-) diff --git a/sendmailanalyzer b/sendmailanalyzer index 19a1c61..610a758 100644 --- a/sendmailanalyzer +++ b/sendmailanalyzer @@ -1162,22 +1162,35 @@ sub parse_amavis { my ($date,$time,$host,$str) = @_; - if ($str =~ /\(([^\)]+)\) (Passed|Blocked) SPAM.* <([^>]*)> -> <([^>]*)>(.*) Message-ID: <([^>]*)>, /) { + if ($str =~ /\(([^\)]+)\) (Passed|Blocked) SPAM(.*) [<]*([^\s>]*)[>]* -> [<]*([^,>]*)[>]*,(.*) Message-ID: [<]*([^,>]+)[>]*, /) { my $pid = $1; my $status = $2; - my $id = $6; - my $queueid = $5; - my $sender = &edecode($3); - my $to = &edecode($4); + my $relay = $3; + my $id = $7; + my $queueid = $6; + my $sender = &edecode($4); + my $to = &edecode($5); if ($queueid =~ /Queue-ID: ([^,]+)/) { $id = $1; + } elsif ($str =~ /mail_id: ([^,]+)/) { + # Quarantine id + $id = $1; } - $SPAM{$host}{$id}{from} = $FROM{$host}{$id}{from} || &edecode($sender); - $SPAM{$host}{$id}{to} = $TO{$host}{$id}{queue_to}[0] || &edecode($to); - delete $TO{$host}{$id}{queue_date}; - delete $TO{$host}{$id}{queue_to}; + $SPAM{$host}{$id}{from} = $sender; + $SPAM{$host}{$id}{to} = $to; $SPAM{$host}{$id}{spam} = "Amavis $status Spam"; $SPAM{$host}{$id}{date} = $date . $time; + if (!exists $FROM{$host}{$id}{from}) { + $FROM{$host}{$id}{from} = $sender; + $FROM{$host}{$id}{date} = $date . $time; + push(@{$TO{$host}{$id}{queue_date}}, $date . $time); + push(@{$TO{$host}{$id}{queue_to}}, $to); + if ($str =~ /size: (\d+)/) { + $FROM{$host}{$id}{size} = $1; + } + $FROM{$host}{$id}{nrcpts} = 1; + $FROM{$host}{$id}{relay} = &clean_relay($relay); + } if ($CONFIG{SPAM_DETAIL}) { if (exists $SPAMDETAIL{$host}{$pid}) { foreach (keys %{$SPAM{$host}{$id}}) { @@ -1185,37 +1198,73 @@ sub parse_amavis } } } - } elsif ($str =~ /(Passed|Blocked) INFECTED \(([^\)]*)\), .* <([^>]*)> -> <([^>]*)>.* Message-ID: <([^>]*)>, /) { - my $id = $5; + } elsif ($str =~ /(Passed|Blocked) INFECTED \(([^\)]*)\), (.*) [<]*([^\s>]*)[>]* -> [<]*([^,>]*)[>]*,(.*) Message-ID: [<]*([^,>]+)[>]*, /) { + my $virus = $2; + my $relay = $3; + my $from = $4; + my $to = &edecode($5); + my $id = &edecode($7); + my $queue_id = $6; + if ($queue_id =~ /Queue-ID: ([^,]+),/) { + $id = $1; + } +print STDERR "AAAAAAAAAAAAAAAAAA $id => $virus : $from -> $to\n"; $VIRUS{$host}{$id}{file} = 'Inline'; - $VIRUS{$host}{$id}{virus} = $2; - $VIRUS{$host}{$id}{from} = $3; - $VIRUS{$host}{$id}{to} = $4; + $VIRUS{$host}{$id}{virus} = $virus; + $VIRUS{$host}{$id}{from} = $from; + $VIRUS{$host}{$id}{to} = $to; $VIRUS{$host}{$id}{date} = $date . $time; + if (!exists $FROM{$host}{$id}{from}) { + $FROM{$host}{$id}{from} = $from; + $FROM{$host}{$id}{date} = $date . $time; + push(@{$TO{$host}{$id}{queue_date}}, $date . $time); + push(@{$TO{$host}{$id}{queue_to}}, $to); + if ($str =~ /size: (\d+)/) { + $FROM{$host}{$id}{size} = $1; + } + $FROM{$host}{$id}{nrcpts} = 1; + $FROM{$host}{$id}{relay} = &clean_relay($relay); + } } + if ($CONFIG{SPAM_DETAIL}) { - if ($str =~ /\(([^\)]+)\) SPAM, .*, Yes, score=([^\s]+).* tests=(.*), autolearn=([^,]+)/) { + + if ($str =~ /\(([^\)]+)\) SPAM, (.*), Yes, score=([^\s]+) .* tests=(.*) autolearn=([^,]+)/) { + my $id = $1; + my $from_to = $2; + my $score = $3; + my $spam = $4; + my $autolearn = $5; + if ($str =~ /autolearn=spam, quarantine ([^\s,]+)/) { + $id = $1; + } + $SPAMDETAIL{$host}{$id}{date} = $date . $time; + $SPAMDETAIL{$host}{$id}{type} = 'amavis'; + $SPAMDETAIL{$host}{$id}{score} = $score; + $SPAMDETAIL{$host}{$id}{spam} = $spam; + $SPAMDETAIL{$host}{$id}{autolearn} = $autolearn; + ($SPAMDETAIL{$host}{$id}{from}, $SPAMDETAIL{$host}{$id}{to}) = split(/ -> /, $from_to); +print STDERR "BBBBBBBBBBBB $id => $SPAMDETAIL{$host}{$id}{from}, $SPAMDETAIL{$host}{$id}{to}\n"; + } elsif ($str =~ /\(([^\)]+)\) SPAM, (.*), Yes, score=([^\s]+).* tests=(.*)/) { + my $from_to = $2; $SPAMDETAIL{$host}{$1}{date} = $date . $time; $SPAMDETAIL{$host}{$1}{type} = 'amavis'; - $SPAMDETAIL{$host}{$1}{score} = $2; - $SPAMDETAIL{$host}{$1}{spam} = $3; - $SPAMDETAIL{$host}{$1}{autolearn} = $4; - } elsif ($str =~ /\(([^\)]+)\) SPAM, .*, Yes, score=([^\s]+).* tests=(.*)/) { - $SPAMDETAIL{$host}{$1}{date} = $date . $time; - $SPAMDETAIL{$host}{$1}{type} = 'amavis'; - $SPAMDETAIL{$host}{$1}{score} = $2; - $SPAMDETAIL{$host}{$1}{spam} = $3; + $SPAMDETAIL{$host}{$1}{score} = $3; + $SPAMDETAIL{$host}{$1}{spam} = $4; + ($SPAMDETAIL{$host}{$1}{from}, $SPAMDETAIL{$host}{$1}{to}) = split(/ -> /, $from_to); } elsif ($str =~ /\(([^\)]+)\) spam_scan: score=([^\s]+) autolearn=([^\s]+) tests=(.*),/) { $SPAMDETAIL{$host}{$1}{date} = $date . $time; $SPAMDETAIL{$host}{$1}{type} = 'amavis'; $SPAMDETAIL{$host}{$1}{score} = $2; $SPAMDETAIL{$host}{$1}{autolearn} = $3; $SPAMDETAIL{$host}{$1}{spam} = $4; - } elsif ($str =~ /\(([^\)]+)\) SPAM, .*, Yes, hits=([^\s]+) .*tests=(.*), quarantine/) { + } elsif ($str =~ /\(([^\)]+)\) SPAM, (.*), Yes, hits=([^\s]+) .*tests=(.*), quarantine/) { + my $from_to = $2; $SPAMDETAIL{$host}{$1}{date} = $date . $time; $SPAMDETAIL{$host}{$1}{type} = 'amavis'; - $SPAMDETAIL{$host}{$1}{score} = $2; - $SPAMDETAIL{$host}{$1}{spam} = $3; + $SPAMDETAIL{$host}{$1}{score} = $3; + $SPAMDETAIL{$host}{$1}{spam} = $4; + ($SPAMDETAIL{$host}{$1}{from}, $SPAMDETAIL{$host}{$1}{to}) = split(/ -> /, $from_to); } } } @@ -1365,10 +1414,14 @@ sub clean_relay } elsif ($relay =~ m#localhost|127\.0\.0\.1#) { return 'localhost'; } elsif ($relay =~ /^(.*[^\d])(\d+\.\d+\.\d+\.\d+)/) { - if (lc($1) eq 'unknown') { - return $2; + my $fqdn = $1; + my $ip = $2; + if (lc($fqdn) eq 'unknown') { + return $ip; + } elsif ($fqdn =~ /[\s,]/) { + return $ip; } else { - return $1; + return $fqdn; } } $relay =~ s#^\s+##;