Mailing List Archive: SpamAssassin: users

log sender IP

Index | Next | Previous | View Threaded

dharmaChris at gmail

May 17, 2012, 4:35 PM

Post #1 of 6 (491 views)
Permalink

log sender IP

I'm hoping to track scores by sender IP. Do any gurus know how I can
get the original sender's IP address into this log line?

May 17 04:08:19 mail01 spamd[20409]: spamd: result: . 2 -
AWL,BAYES_50,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HTML_IMAGE_RATIO_02,HTML_MESSAGE,SPF_HELO_PASS,URIBL_WS_SURBL
scantime=0.9,size=9109,user=happydog [at] willapabay,uid=105,required_score=5.0,rhost=mail01-01.reachone.com,raddr=127.0.0.1,rport=36534,mid=<16780360.84780 [at] patriotupdate>,bayes=0.500889,autolearn=no

Please note that since it's a Postfix milter, the spamd daemon sees
[remoteaddr] as 127.0.0.1:

May 17 16:27:38 mail1spamd[2187]: spamd: [...] [127.0.0.1] for
drsmooth [at] olynet:104 in 2.2 seconds, 2373 bytes.

I'm hoping custom spamassassin plugin is not the answer :)

TIA,
Chris

bgardnermailinglists at gmail

May 17, 2012, 4:51 PM

Post #2 of 6 (468 views)
Permalink

Re: log sender IP [In reply to]

On 05/17/2012 04:35 PM, Chris Hunt wrote:
> I'm hoping to track scores by sender IP. Do any gurus know how I can
> get the original sender's IP address into this log line?
>
> May 17 04:08:19 mail01 spamd[20409]: spamd: result: . 2 -
> AWL,BAYES_50,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HTML_IMAGE_RATIO_02,HTML_MESSAGE,SPF_HELO_PASS,URIBL_WS_SURBL
> scantime=0.9,size=9109,user=happydog [at] willapabay,uid=105,required_score=5.0,rhost=mail01-01.reachone.com,raddr=127.0.0.1,rport=36534,mid=<16780360.84780 [at] patriotupdate>,bayes=0.500889,autolearn=no
>
> Please note that since it's a Postfix milter, the spamd daemon sees
> [remoteaddr] as 127.0.0.1:
>
> May 17 16:27:38 mail1spamd[2187]: spamd: [...] [127.0.0.1] for
> drsmooth [at] olynet:104 in 2.2 seconds, 2373 bytes.
>
> I'm hoping custom spamassassin plugin is not the answer :)
>
> TIA,
> Chris
>
>
>
>
Can you get what you need from Postfix logs? Using Qmail here, and for
each message Qmail is logging a line that contains the score, subject,
sender IP & email addresses, recipient address.

Brent Gardner

jhardin at impsec

May 17, 2012, 4:59 PM

Post #3 of 6 (466 views)
Permalink

Re: log sender IP [In reply to]

On Thu, 17 May 2012, Chris Hunt wrote:

> I'm hoping to track scores by sender IP. Do any gurus know how I can
> get the original sender's IP address into this log line?
>
> May 17 04:08:19 mail01 spamd[20409]: spamd: result: . 2 -
> AWL,BAYES_50,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HTML_IMAGE_RATIO_02,HTML_MESSAGE,SPF_HELO_PASS,URIBL_WS_SURBL
> scantime=0.9,size=9109,user=happydog [at] willapabay,uid=105,required_score=5.0,rhost=mail01-01.reachone.com,raddr=127.0.0.1,rport=36534,mid=<16780360.84780 [at] patriotupdate>,bayes=0.500889,autolearn=no
>
> Please note that since it's a Postfix milter, the spamd daemon sees
> [remoteaddr] as 127.0.0.1:
>
> May 17 16:27:38 mail1spamd[2187]: spamd: [...] [127.0.0.1] for
> drsmooth [at] olynet:104 in 2.2 seconds, 2373 bytes.
>
> I'm hoping custom spamassassin plugin is not the answer :)

I know this doesn't directly answer the question you're asking, but how
about looking up the mid (msgid) in the Postfix log lines to get the
source IP? That should be fairly simple to do in a perl logfile parser.

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin [at] impsec FALaholic #11174 pgpk -a jhardin [at] impsec
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
The real opiate of the masses isn't religion; it's the belief that
somewhere there is a benefit that can be delivered without a
corresponding cost. -- Tom of "Radio Free NJ"
-----------------------------------------------------------------------
2 days until SpaceX Dragon first mission to ISS

lucio at lambrate

May 18, 2012, 5:49 AM

Post #4 of 6 (465 views)
Permalink

Re: log sender IP [In reply to]

On Thu, 17 May 2012, Brent Gardner wrote:

>> I'm hoping to track scores by sender IP. Do any gurus know how I can
>> get the original sender's IP address into this log line?

> Can you get what you need from Postfix logs?

I use sendmail, and spamassassin/amavis as milter, and I run all sort of
statistics from /var/log/mail, which is where sendmail logs everything.
E.g. I identify messages flagged as spam via the string "Blocked SPAM" in
the log) and extract the score/hits from there.

For other statistics on rules I use the quarantine folder (we store all
quarantined spam in a single daily mail folder for all users).

Of course this has to be highly customized for local usage.

dharmachris at gmail

May 18, 2012, 4:02 PM

Post #5 of 6 (461 views)
Permalink

Re: log sender IP [In reply to]

On Thu, May 17, 2012 at 4:35 PM, Chris Hunt <dharmaChris [at] gmail> wrote:
> I'm hoping to track scores by sender IP. �Do any gurus know how I can
> get the original sender's IP address into this log line?
>
> May 17 04:08:19 mail01 spamd[20409]: spamd: result: . 2 -
> AWL,BAYES_50,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HTML_IMAGE_RATIO_02,HTML_MESSAGE,SPF_HELO_PASS,URIBL_WS_SURBL
> scantime=0.9,size=9109,user=happydog [at] willapabay,uid=105,required_score=5.0,rhost=mail01-01.reachone.com,raddr=127.0.0.1,rport=36534,mid=<16780360.84780 [at] patriotupdate>,bayes=0.500889,autolearn=no
>
> Please note that since it's a Postfix milter, the spamd daemon sees
> [remoteaddr] as 127.0.0.1:
>
> May 17 16:27:38 mail1spamd[2187]: spamd: [...] [127.0.0.1] for
> drsmooth [at] olynet:104 in 2.2 seconds, 2373 bytes.
>
> I'm hoping custom spamassassin plugin is not the answer :)
>
> TIA,
> Chris
>
>
>
>

For anyone who cares, this is what I came up with. Please note my
Perl skills are really weak, so if anyone has any optimizations, I'd
welcome them :

--- spamd.orig 2012-05-17 21:52:27.000000000 -0700
+++ spamd 2012-05-18 15:56:06.000000000 -0700
@@ -1630,9 +1630,29 @@

my $scantime = sprintf( "%.1f", time - $start_time );

- info("spamd: $was_it_spam ($msg_score/$msg_threshold) for
$current_user:$> in"
- . " $scantime seconds, $actual_length bytes." );
+##########################################################################################
+##
+## Hack added by to add relay server addresses to base report for
fail2ban etc.
+## 2012-05-18: First Draft
+##
+
+ my @from_addrs = $mail->get_pristine_header("Received");
+ my $nums = @from_addrs;
+ my $line;
+ my @raddrs;
+ foreach $line (@from_addrs){
+ if($line=~/(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/) {
+ if($1 == 127 && $2 == 0 && $3 == 0 && $4 == 1) {
+ }else{
+ push(@raddrs, "$1.$2.$3.$4");
+ }
+ } # end if
+ } # end foreach
+ my $from_addrs2 = join(",",@raddrs);
+ info("spamd: result: $was_it_spam ($msg_score/$msg_threshold) in
$nums relays from $from_addrs2 for $current_user:$> in $scantime
seconds, $actual_length bytes." );

+
+############################################################################################
# add a summary "result:" line, based on mass-check format
my @extra;
push(@extra, "scantime=".$scantime, "size=$actual_length",

pegpe at irt

May 20, 2012, 1:47 PM

Post #6 of 6 (459 views)
Permalink

Re: log sender IP [In reply to]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Just as a note to everyone who will stumble upon similair problems.
The easiest way I know of to print certain fields in the mailheaders to
the logs is to use header_checks in postfix to print out the matching
field to the syslog which later on can be parsed in a "standardized" way.
x-originating-ip is a nice example to compare against an expected pattern.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJPuVhKAAoJEOVOmoKjmKMk2ygH/3dlsIOl/+ISdXXjQg9HZms2
2lO6xA/LkNquGCLFF4LY+9Ym19p28pYdzp1mOL5sMRsSKBAYpaU16722TTX1LWIi
EXdSzCVhAhgQkiEl6Kc9oBTdq/ioJ3NOQK4hJHeZoizJX/8omjIpPhwsftLbxPrT
Pgmfvl0N9MiWzwryF9XO2sH3JOiLYHSIC7U10hV3Q+LfAp/vjUUl0uOl5NT3Ib42
jLjYZfiFdZMDu/s1PUnX6RxinNph5OP0fSgWmALQtA2nzrbk7AA9tVkQu5Jte/Nv
mPWdLccGrJDIKwi7Aornq1FdJeqr1ER53ncQ00wKRkvffdBPVXG493lRUxkw+Ck=
=b16w
-----END PGP SIGNATURE-----

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads