I've recently switched to using spamassassin via a sendmail milter, rather than using procmail to invoke it. This means that I get a number of messages appearing in my maillog, and then being reported by logwatch as unmatched entries.
An example of such a messages is:
Feb 27 04:33:09 quail sendmail[24780]: p1R4X46P024780[2]: URIBL blacklist\n\t* [URIs: tablettoxicspillsrx.ru]\n\t* 1.5 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist\n\t* [URIs: tablettoxicspillsrx.ru]\n\t* 1.5 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist\n\t* [URIs: tablettoxicspillsrx.ru]\n\t* 1.5 URIBL_SBL Contains an URL listed in the SBL blocklist\n\t* [URIs: tablettoxicspillsrx.ru]\n\t* 0.3 DRUGS_ERECTILE Refers to an erectile drug to \n\t* 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100%\n\t* [score: 1.0000]\n\t* 0.3 DRUG_ED_CAPS BODY: Mentions an E.D. drug\n\t* 1.6 DRUG_ED_GENERIC BODY: Mentions Generic Viagra\n\t* 2.0 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net\n\t* [Blocked - see http://www.spamcop.net/bl.shtml?93.159.243.52]\n\t* 0.9 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL\n\t* [93.159.243.52 listed in zen.spamhaus.org]\n\t* 3.0 RCVD_IN_XBL RBL: Received via a ...
Is there a "best" approach to dealing with this; for instance stopping spamassassin reporting these to the maillog, or changing logwatch to recognise the messages. And how do I change it.
Thanks
Steve
On 28/02/2011, at 10:19 PM, Steve Searle wrote:
I've recently switched to using spamassassin via a sendmail milter, rather than using procmail to invoke it. This means that I get a number of messages appearing in my maillog, and then being reported by logwatch as unmatched entries.
An example of such a messages is:
It's being reported by sendmail, not by spamassassin, it seems. Or perhaps is just passing through to the logs what spamassassin in outputting.
Assumably you're calling out to spamass-milter. Are you passing any debug (-d) flags?
As to whether to prevent it being logged, or to ignore it in the logs, you would need to consider whether or not you want it in your logs... it could total to a fairly large amount and could in itself become a vector for a disk-filling attack.
Feb 27 04:33:09 quail sendmail[24780]: p1R4X46P024780[2]: URIBL blacklist
To filter it in logcheck, you could act just on this part
^\w{3} [ :0-9]{11} [,_[:alnum:]-]+ sendmail[[0-9]+]: [a-zA-Z0-9][[0-9]+]: URIBL blacklist
(This has not been tested, the first part comes from a standard Ubuntu install of logcheck, which is likely to also be the case in CentOS)
Sorry, I can't help you with the sendmail part of it.