Mailing List Archive: ClamAV: users

Capturing message header data

Index | Next | Previous | View Threaded

bitfuzzy at campbus

Nov 23, 2009, 7:46 AM

Post #1 of 7 (869 views)
Permalink

Capturing message header data

I've got an issue I'm trying to resolve and to be honest I'm at a loss.

What I'm trying to do is log message virus statistics either to a
database or log file to be parsed for inclusion into a database.
The information we are interested in is the detected malware/virus, and
the destination email address (envelope recipient).

Using Clamav-milter (0.95.3) I've noticed that when a virus is found the
destination address is resolved to the local user or forward destination
via (more than likely) the virtusertable

I can't use the maillog because the destination isn't logged

So my question is this.

Is it possible to get clamav to log the "envelope recipient"?

If not

Is the message data accessible after clamav detects a virus for further
processing? (to capture virus name and other desired information through
script or other)
If so, what is the best method/mechanism for achieving this

Any insight is greatly appreciated

Ken

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

ged at jubileegroup

Nov 24, 2009, 4:16 AM

Post #2 of 7 (827 views)
Permalink

Re: Capturing message header data [In reply to]

Hi there,

On Tue, 24 Nov 2009 Ken Campney wrote:

> What I'm trying to do is log message virus statistics either to a
> database or log file ...

Grab syslog-ng, it can do anything you need of that nature.

> I can't use the maillog because the destination isn't logged

Er, what MTA are you using? I don't know of one that can't log what
you need.

--

73,
Ged.
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

bitfuzzy at campbus

Nov 24, 2009, 5:06 AM

Post #3 of 7 (821 views)
Permalink

Re: Capturing message header data [In reply to]

G.W. Haywood wrote:
> Hi there,
>
> On Tue, 24 Nov 2009 Ken Campney wrote:
>
>
>> What I'm trying to do is log message virus statistics either to a
>> database or log file ...
>>
>
> Grab syslog-ng, it can do anything you need of that nature.
>
>
>> I can't use the maillog because the destination isn't logged
>>
>
> Er, what MTA are you using? I don't know of one that can't log what
> you need.
>
The MTA is Sendmail, and mail logging works just fine except for
messages where an infection is found.

I"m thinking the logging issue is due to clamav-milter which is why I'm
posting to this list.

Running cat /var/log/maillog | grep Infected I get:
Nov 24 05:42:09 myserver sm-mta[22365]: nAOAg8uf022365: Milter add:
header: X-Virus-Status: Infected (Phishing.Heuristics.Email.SSL-Spoof)

Running cat /var/log/maillog | grep nAOAg8uf022365 I get:
Nov 24 05:42:09 myserver sm-mta[22365]: nAOAg8uf022365:
from=<user [at] somedomain>, size=27436, class=0,
nrcpts=1,msgid=<DE.8C.15584.978BB0B4 [at] pr>, bodytype=8BITMIME,
proto=ESMTP, daemon=MTA, relay=somedomain.net [xxx.xxx.xx.xxx]
Nov 24 05:42:09 myserver sm-mta[22365]: nAOAg8uf022365: Milter add:
header: X-Virus-Scanned: clamav-milter 0.95.3 at myserver
Nov 24 05:42:09 myserver sm-mta[22365]: nAOAg8uf022365: Milter add:
header: X-Virus-Status: Infected (Phishing.Heuristics.Email.SSL-Spoof)
Nov 24 05:42:09 myserver sm-mta[22365]: nAOAg8uf022365: Milter: data,
discard
Nov 24 05:42:09 myserver sm-mta[22365]: nAOAg8uf022365: discarded

Clamav-milter.log has:
Message from <user [at] somedomain> to <JoeK> infected by
Phishing.Heuristics.Email.SSL-Spoof

As you can see there is no destination logged when a infection is
processed.
My guess this is because its not being delivered. Which would explain
why the clamav-milter.log has the intended "local" delivery address.
Unfortunately I'm needing the Envelope Recipient

Ken

> --
>
> 73,
> Ged.
> _______________________________________________
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml
>
>

--
---------------------------------------------------------------------------
Campney Business Solutions
http://www.campney.net
Phone: (585)663-5616 [9am-5pm M-F EST]

Email:
support [at] campney
service [at] campney
---------------------------------------------------------------------------

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

lists at retrochoons

Nov 24, 2009, 8:20 AM

Post #4 of 7 (820 views)
Permalink

Re: Capturing message header data [In reply to]

On Tue, 2009-11-24 at 08:06 -0500, Ken Campney wrote:
> G.W. Haywood wrote:
> > Hi there,
> >
> > On Tue, 24 Nov 2009 Ken Campney wrote:
> >
> >
> >> What I'm trying to do is log message virus statistics either to a
> >> database or log file ...
> >>
> >
> > Grab syslog-ng, it can do anything you need of that nature.
> >
> >
> >> I can't use the maillog because the destination isn't logged
> >>
> >
> > Er, what MTA are you using? I don't know of one that can't log what
> > you need.
> >
> The MTA is Sendmail, and mail logging works just fine except for
> messages where an infection is found.
>
> I"m thinking the logging issue is due to clamav-milter which is why I'm
> posting to this list.
>
> Running cat /var/log/maillog | grep Infected I get:
> Nov 24 05:42:09 myserver sm-mta[22365]: nAOAg8uf022365: Milter add:
> header: X-Virus-Status: Infected (Phishing.Heuristics.Email.SSL-Spoof)
>
> Running cat /var/log/maillog | grep nAOAg8uf022365 I get:
> Nov 24 05:42:09 myserver sm-mta[22365]: nAOAg8uf022365:
> from=<user [at] somedomain>, size=27436, class=0,
> nrcpts=1,msgid=<DE.8C.15584.978BB0B4 [at] pr>, bodytype=8BITMIME,
> proto=ESMTP, daemon=MTA, relay=somedomain.net [xxx.xxx.xx.xxx]
> Nov 24 05:42:09 myserver sm-mta[22365]: nAOAg8uf022365: Milter add:
> header: X-Virus-Scanned: clamav-milter 0.95.3 at myserver
> Nov 24 05:42:09 myserver sm-mta[22365]: nAOAg8uf022365: Milter add:
> header: X-Virus-Status: Infected (Phishing.Heuristics.Email.SSL-Spoof)
> Nov 24 05:42:09 myserver sm-mta[22365]: nAOAg8uf022365: Milter: data,
> discard
> Nov 24 05:42:09 myserver sm-mta[22365]: nAOAg8uf022365: discarded
>
> Clamav-milter.log has:
> Message from <user [at] somedomain> to <JoeK> infected by
> Phishing.Heuristics.Email.SSL-Spoof
>
> As you can see there is no destination logged when a infection is
> processed.
> My guess this is because its not being delivered. Which would explain
> why the clamav-milter.log has the intended "local" delivery address.
> Unfortunately I'm needing the Envelope Recipient
>
> Ken
>
>
> > --
> >
> > 73,
> > Ged.
> > _______________________________________________
> > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> > http://www.clamav.net/support/ml
> >
> >
>
>
That's unlucky. Using Postfix with the clam-av milter it obliges with:

Nov 23 08:41:02 inbound/cleanup[15078]: 305E0AD108: milter-reject:
END-OF-MESSAGE from 93-41-51-175.ip80.fastwebnet.it[93.41.51.175]: 5.7.1
Virus Found; from=<alightingzo9 [at] rancon> to=<...@....com> proto=ESMTP
helo=<93-41-51-175.ip80.fastwebnet.it>

All that is missing, is the year :-) {trivial to add....}

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

bitfuzzy at campbus

Nov 24, 2009, 7:35 PM

Post #5 of 7 (814 views)
Permalink

Re: Capturing message header data [In reply to]

lists wrote:
> On Tue, 2009-11-24 at 08:06 -0500, Ken Campney wrote:
>
>> G.W. Haywood wrote:
>>
>>> Hi there,
>>>
>>> On Tue, 24 Nov 2009 Ken Campney wrote:
>>>
>>>
>>>
>>>> What I'm trying to do is log message virus statistics either to a
>>>> database or log file ...
>>>>
>>>>
>>> Grab syslog-ng, it can do anything you need of that nature.
>>>
>>>
>>>
>>>> I can't use the maillog because the destination isn't logged
>>>>
>>>>
>>> Er, what MTA are you using? I don't know of one that can't log what
>>> you need.
>>>
>>>
>> The MTA is Sendmail, and mail logging works just fine except for
>> messages where an infection is found.
>>
>> I"m thinking the logging issue is due to clamav-milter which is why I'm
>> posting to this list.
>>
>> Running cat /var/log/maillog | grep Infected I get:
>> Nov 24 05:42:09 myserver sm-mta[22365]: nAOAg8uf022365: Milter add:
>> header: X-Virus-Status: Infected (Phishing.Heuristics.Email.SSL-Spoof)
>>
>> Running cat /var/log/maillog | grep nAOAg8uf022365 I get:
>> Nov 24 05:42:09 myserver sm-mta[22365]: nAOAg8uf022365:
>> from=<user [at] somedomain>, size=27436, class=0,
>> nrcpts=1,msgid=<DE.8C.15584.978BB0B4 [at] pr>, bodytype=8BITMIME,
>> proto=ESMTP, daemon=MTA, relay=somedomain.net [xxx.xxx.xx.xxx]
>> Nov 24 05:42:09 myserver sm-mta[22365]: nAOAg8uf022365: Milter add:
>> header: X-Virus-Scanned: clamav-milter 0.95.3 at myserver
>> Nov 24 05:42:09 myserver sm-mta[22365]: nAOAg8uf022365: Milter add:
>> header: X-Virus-Status: Infected (Phishing.Heuristics.Email.SSL-Spoof)
>> Nov 24 05:42:09 myserver sm-mta[22365]: nAOAg8uf022365: Milter: data,
>> discard
>> Nov 24 05:42:09 myserver sm-mta[22365]: nAOAg8uf022365: discarded
>>
>> Clamav-milter.log has:
>> Message from <user [at] somedomain> to <JoeK> infected by
>> Phishing.Heuristics.Email.SSL-Spoof
>>
>> As you can see there is no destination logged when a infection is
>> processed.
>> My guess this is because its not being delivered. Which would explain
>> why the clamav-milter.log has the intended "local" delivery address.
>> Unfortunately I'm needing the Envelope Recipient
>>
>> Ken
>>
>>
>>
>>> --
>>>
>>> 73,
>>> Ged.
>>> _______________________________________________
>>> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
>>> http://www.clamav.net/support/ml
>>>
>>>
>>>
>>
> That's unlucky. Using Postfix with the clam-av milter it obliges with:
>
> Nov 23 08:41:02 inbound/cleanup[15078]: 305E0AD108: milter-reject:
> END-OF-MESSAGE from 93-41-51-175.ip80.fastwebnet.it[93.41.51.175]: 5.7.1
> Virus Found; from=<alightingzo9 [at] rancon> to=<...@....com> proto=ESMTP
> helo=<93-41-51-175.ip80.fastwebnet.it>
>
> All that is missing, is the year :-) {trivial to add....}
>

Annoying is more like it heh
Actually using the OnInfected setting of "Reject" rather than Blackhole
or Quarantine does provide the envelope recipient (to=<....@...com>) in
the maillog (though clamav-milter.log still records local names regardless.

The missing information in maillog now defiantly appears to be directly
related to using Blackhole or Quarantine. Bug??

Ken
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

a_s_y at sama

Nov 25, 2009, 3:46 AM

Post #6 of 7 (813 views)
Permalink

Re: Capturing message header data [In reply to]

On Monday 23 November 2009, Ken Campney wrote:

> Is it possible to get clamav to log the "envelope recipient"?

mailfromd can do it.

--
Regards,
Sergey
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

ged at jubileegroup

Nov 25, 2009, 5:12 AM

Post #7 of 7 (804 views)
Permalink

Re: Capturing message header data [In reply to]

Hi there,

On Wed, 25 Nov 2009 Ken Campney wrote:

> ... there is no destination logged when a infection is processed.
> My guess this is because its not being delivered. Which would explain
> why the clamav-milter.log has the intended "local" delivery address.

Can you change the verbosity of Sendmail's logging? Here's an edited
extract from my logs, the lines may wrap in your mail client but they
all begin with the date ("Nov 2"), time and mailserver name ("mail3").
It would be easy to grab the envelope recipient from this log:

Nov 2 07:54:50 mail3 sm-mta[20703]: NOQUEUE: connect from ha20.Scsend.net [64.50.150.20]
Nov 2 07:55:53 mail3 sm-mta[20703]: nA27somI020703: --- 220-mail3.jubileegroup.co.uk ESMTP You will be billed fifty US dollars for each and e
Nov 2 07:55:53 mail3 sm-mta[20703]: nA27somI020703: --- 220 server ready
Nov 2 07:55:54 mail3 sm-mta[20703]: nA27somI020703: <-- EHLO ha20.Scsend.net
Nov 2 07:55:54 mail3 sm-mta[20703]: nA27somI020703: --- 250-mail3.jubileegroup.co.uk Hello ha20.Scsend.net [64.50.150.20], pleased to meet yo
Nov 2 07:55:54 mail3 sm-mta[20703]: nA27somI020703: --- 250 [snip, snip]
Nov 2 07:55:54 mail3 sm-mta[20703]: nA27somI020703: <-- MAIL FROM:<b1 [at] bounce> SIZE=4927
Nov 2 07:55:54 mail3 sm-mta[20703]: nA27somI020703: --- 250 2.1.0 <b1 [at] bounce>... Sender ok
Nov 2 07:55:54 mail3 sm-mta[20703]: nA27somI020703: <-- RCPT TO:<sales [at] jubileegroup>
Nov 2 07:55:54 mail3 sm-mta[20703]: nA27somI020703: --- 050 /home/sales/.forward: line 1: forwarding to [snip]
Nov 2 07:55:54 mail3 sm-mta[20703]: nA27somI020703: forward <sales [at] jubileegroup> => [snip]
Nov 2 07:55:55 mail3 sm-mta[20703]: nA27somI020703: --- 250 2.1.5 <sales [at] jubileegroup>... Recipient ok
Nov 2 07:55:55 mail3 sm-mta[20703]: nA27somI020703: <-- DATA
Nov 2 07:55:55 mail3 sm-mta[20703]: nA27somI020703: --- 354 Enter mail, end with "." on a line by itself
Nov 2 07:55:55 mail3 sm-mta[20703]: nA27somI020703: from=<b1 [at] bounce>, size=4810, class=0, nrcpts=3, msgid=<20091102075451.8C47717A
Nov 2 07:55:55 mail3 sm-mta[20703]: nA27somI020703: Milter insert (0): header: Received-SPF: pass (mail3.jubileegroup.co.uk: domain of b1 [at] bo
Nov 2 07:55:57 mail3 sm-mta[20703]: nA27somI020703: Milter add: header: X-Greylist: Recipient e-mail whitelisted, not delayed by milter-greyl
Nov 2 07:55:57 mail3 sm-mta[20703]: nA27somI020703: Milter insert (1): header: X-Virus-Status: Infected (Sanesecurity.Jurlbl.8643.UNOFFICIAL)
Nov 2 07:55:57 mail3 sm-mta[20703]: nA27somI020703: Milter: data, reject=554 5.7.1 Command rejected
Nov 2 07:55:57 mail3 sm-mta[20703]: nA27somI020703: to=[snip], delay=00:00:02, pri=94810, stat=Command rejected
Nov 2 07:55:57 mail3 sm-mta[20703]: nA27somI020703: --- 554 5.7.1 Command rejected (held)
Nov 2 07:55:57 mail3 sm-mta[20703]: nA27somJ020703: <-- QUIT
Nov 2 07:55:57 mail3 sm-mta[20703]: nA27somJ020703: --- 221 2.0.0 mail3.jubileegroup.co.uk closing connection

You'll need to start Sendmail with LogLevel 9 or above to get this
information. In my local copy of the "Bat Book" (ISBN 1-56592-222-0,
"Sendmail", 2nd edition 1997 from one of the O'Reilly Networking CDs)
this is in the "Logging and Statistics" chapter, section 26.1.3. All
administrators running Sendmail need access to a copy of the Bat Book.
You can find it online if you look hard enough.

--

73,
Ged.
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads