OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Michael Tokarev (mjttls.msk.ru)
Date: Thu May 02 2002 - 07:52:32 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    [Note the Cc set to postfix-users]

    Ralf Hildebrandt wrote:
    >
    > Can avcheck report the IP address of the client in the log?
    > I don't even know if Postfix's pipe transport can provide the info to
    > the avcheck binary, but it's surely useful.

    No, postfix does not *store* client's IP address in queue file.

    Here is a code fragment from my honeypot handler:

    IP=`sed -n \
         -e 's/^Received: from.* \[\([0-9]*\.[0-9]*\.[0-9]*\.[0-9]*\)\])$/\1/p' \
         -e '/^Received: /q' \
        $MAIL`

    This matches the following (from your message as seen here):

    [Return-Path or some other header(s) may be here]
    Received: from mail.corpit.ru (mail.corpit.ru [217.23.134.198])
            by mail.tls.msk.ru (Postfix) with ESMTP id 86E878C2D
            for <mjtpaltus.tls.msk.ru>; Thu, 2 May 2002 12:05:26 +0400 (MSD)
            (envelope-from avcheck-adminlist.corpit.ru)

    This will not work with locally generated mails (e.g. sent by
    /usr/sbin/sendmail). And this *may* work with qmqpd-submitted
    mails, or may be not.

    Here are more variants. Double bounce:

    Received: by mail.corpit.ru (Postfix)
            id 2B6AA380E; Thu, 2 May 2002 16:40:42 +0400 (MSD)

    Locally-submitted mail (/usr/sbin/sendmail interface, Received
    by pickup):

    Received: by mail.tls.msk.ru (Postfix, from userid 101)
            id DB2DB8C2D; Thu, 2 May 2002 16:45:09 +0400 (MSD)

    The following comand may work:

    FROM=`sed -n \
         -e 's/^Received: from.* \[\([0-9]*\.[0-9]*\.[0-9]*\.[0-9]*\)\])$/ from IP \1/p' \
         -e 's/^Received: by.* (Postfix)$/ from internal/p' \
         -e 's/^Received: by.* (Postfix,\( from userid [0-9]*\))$/\1/p' \
         -e '/^Received: /q' \
        $MAIL`

    (note extra spaces). qmqpd case still missing.

    > Why:
    >
    > * recent viruses forge sender addresses, one can only rely on the
    > client's IP address.
    >
    > * it's tedious to find the client's IP in the log

    With the above, one may use "$FROM" in log line. Like:

     logger .. "infected by $MSG;$FROM from=$SENDER to=$*"

    Regards,
     Michael.
    -
    To unsubscribe, send mail to majordomopostfix.org with content
    (not subject): unsubscribe postfix-users