Adding remote-ip/ESMTPID/X-Envelope to logging output?

Sat, 26 Dec 2009 06:13:14 -0800 

Hey there,
Background: Sendmail with spamd running on a different box, spamc called from global procmail file. 


I'm doing some nightly log-combing to look for interesting patterns, 
including against other network traffic (like erroneous DNS lookups, I 
think I might be on to something).



However, one of the annoying things about spamassassin's logging is that 
it fails to log the remote connecting ip, even though it places it in 
special places in the logs:


take for example:


Dec 26 08:41:51 quark spamd[87490]: spamd: connection from prime.gushi.org 
[72.9.101.130] at port 62430
Dec 26 08:41:51 quark spamd[87490]: spamd: processing message 
<ca65a2f0912260536l2d0edcdy28f748beb74ea...@mail.gmail.com> for danm:58
Dec 26 08:41:53 quark spamd[87490]: FuzzyOcr: Scan canceled, message has 
less than -5 points (-6.601).
Dec 26 08:41:53 quark spamd[87490]: spamd: clean message (-6.6/5.0) for 
danm:58 in 1.9 seconds, 3788 bytes.
Dec 26 08:41:53 quark spamd[87490]: spamd: result: . -6 - 
AWL,BAYES_00,RCVD_IN_DNSWL_MED,SPF_HELO_PASS,SPF_PASS 
scantime=1.9,size=3788,user=danm,uid=58,required_score=5.0,rhost=prime.gushi.org,raddr=72.9.101.130,rport=62430,mid=<ca65a2f0912260536l2d0edcdy28f748beb74ea...@mail.gmail.com>,bayes=0.000000,autolearn=ham,shortcircuit=no



From those logs, there's nothing at all that tells me what the relaying ip 

is, even though it's "special" to spamd, used to determine the ASN, etc.

The sendmail logs (grepped for that messageid) are more useful:


Dec 26 08:38:23 <mail.info> prime sm-mta[27423]: nBQDcLck027423: 
from=<asterisk-users-boun...@lists.digium.com>, size=2735, class=0, 
nrcpts=1, 
msgid=<ca65a2f0912260536l2d0edcdy28f748beb74ea...@mail.gmail.com>, 
proto=ESMTP, daemon=MTA, relay=lists.digium.com [216.207.245.17]



But again, those give me half the picture (and are on two different 
machines), and I'd need the long msgid line to correlate them.



Is logging output configurable that I could add the value of the "relay=" 
line into the output?  Or perhaps the value of "X-Envelope-To?"



Also, does spamc have any concept of the "short" (ESMTP) messageid, as 
defined by sendmail's queues? (nBQDcLck027423).  In terms of parsing logs, 
this is a much more useful correlation point, since it's that identifier 
that every other milter uses, and every other thing that writes to maillog 
uses. (But I understand if it's not possible since the API is different).



For example, grepping for that self-same messageid, other than spamc, 
gives me the whole story.  Sender, recipient, every milter it's been 
through.



Dec 26 08:38:23 <mail.info> prime sm-mta[27423]: nBQDcLck027423: 
from=<asterisk-users-boun...@lists.digium.com>, size=2735, class=0, 
nrcpts=1, 
msgid=<ca65a2f0912260536l2d0edcdy28f748beb74ea...@mail.gmail.com>, 
proto=ESMTP, daemon=MTA, relay=lists.digium.com [216.207.245.17]
Dec 26 08:38:23 <mail.info> prime sm-mta[27423]: nBQDcLck027423: Milter 
insert (1): header: X-DomainKeys:  Sendmail DomainKeys Filter v1.0.2 
prime.gushi.org nBQDcLck027423
Dec 26 08:38:23 <mail.info> prime sm-mta[27423]: nBQDcLck027423: Milter 
insert (1): header: Authentication-Results:  prime.gushi.org; dkim=none 
(no signature)\n\theader.i=unknown; x-dkim-adsp=none
Dec 26 08:38:23 <mail.info> prime sm-mta[27423]: nBQDcLck027423: Milter 
insert (1): header: X-DKIM:  Sendmail DKIM Filter v2.8.3 prime.gushi.org 
nBQDcLck027423
Dec 26 08:38:23 <mail.info> prime sm-mta[27423]: nBQDcLck027423: Milter 
insert (1): header: Authentication-Results: prime.gushi.org; 
sender-id=pass header.sender=asterisk-users-boun...@lists.digium.com; 
spf=pass smtp.mfrom=asterisk-users-boun...@lists.digium.com
Dec 26 08:38:23 <mail.info> prime sm-mta[27423]: nBQDcLck027423: Milter 
insert (1): header: X-SenderID: Sendmail Sender-ID Filter v1.0.0 
prime.gushi.org nBQDcLck027423
Dec 26 08:38:24 <mail.info> prime sm-mta[27423]: nBQDcLck027423: Milter 
add: header: X-Greylist: Default is to whitelist mail, not delayed by 
milter-greylist-4.0.1 (prime.gushi.org [72.9.101.130]); Sat, 26 Dec 2009 
08:41:49 -0500 (EST)
Dec 26 08:38:28 <mail.info> prime sm-mta[27436]: nBQDcLck027423: 
to=<d...@prime.gushi.org>, delay=00:00:05, xdelay=00:00:03, mailer=local, 
pri=33624, dsn=2.0.0, stat=Sent


Thoughts?

-Dan Mahoney

--

"When I'm lost, and confused, and trying to make a U-turn, nothing annoys
me more than someone telling me to watch out for the tombstone!"

"How often does that happen, Fab?"

-David Feld & Tom Fabry, sometime in High School.

--------Dan Mahoney--------
Techie,  Sysadmin,  WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144   AIM: LarpGM
Site:  http://www.gushi.org
---------------------------























					Reply via email to