suppress some more suspicious words in email adresses of postfix and amavisd-new. Relax postfix verification failed filter. Add another dyndns smtp refusal.

3 files changed, 8 insertions, 8 deletions

diff --git a/logcheck/violations.ignore.d/amavisd-new b/logcheck/violations.ignore.d/amavisd-new
index df555c2..8d492e7 100644
--- a/logcheck/violations.ignore.d/amavisd-new
+++ b/logcheck/violations.ignore.d/amavisd-new
@@ -6,4 +6,4 @@
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: \([0-9-]+\) NOTICE: UNABLE TO SEND DSN to <[^[:space:]]*>: 550 5\.1\.0 <[^[:space:]]*>: Recipient address rejected: User unknown in virtual alias table$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: \([0-9-]+\) mail_via_smtp: 550 5\.1\.0 <[^[:space:]]*>: Recipient address rejected: User unknown in virtual alias table$
 # Suspicious words within email addresses are ok
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: .*<[^[:space:]]*(attack|debug|deny|error|expn|refused)[^[:space:]]*>.*
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: .*<[^>[:space:]]*(attack|debug|deny|error|expn|promisc|refused)[^>[:space:]]*>.*$
diff --git a/logcheck/violations.ignore.d/local b/logcheck/violations.ignore.d/local
index 7f9281a..67f4052 100644
--- a/logcheck/violations.ignore.d/local
+++ b/logcheck/violations.ignore.d/local
@@ -13,7 +13,7 @@
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: \([0-9-]+\) NOTICE: DSN contains BAD HEADER & SPAM; bounce is not bouncable, mail intentionally dropped$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: \([0-9-]+\) NOTICE: UNABLE TO SEND DSN to <[^[:space:]]*>: 550 5\.1\.0 <[^[:space:]]*>: Recipient address rejected: User unknown in virtual alias table$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: \([0-9-]+\) mail_via_smtp: 550 5\.1\.0 <[^[:space:]]*>: Recipient address rejected: User unknown in virtual alias table$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: .*<[^[:space:]]*(attack|debug|deny|error|expn|refused)[^[:space:]]*>.*
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: .*<[^>[:space:]]*(attack|debug|deny|error|expn|promisc|refused)[^>[:space:]]*>.*$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: client [\.0-9]+#[0-9]+: update forwarding denied$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: zone .*: refresh: failure trying master .*: timed out
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dccproc\[[0-9]+\]: continue not asking DCC [0-9]+ seconds after failure$
@@ -56,7 +56,7 @@
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: certificate verification failed for [^[:space:]]+:( num=10:)?certificate has expired$
 
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: connect to [^[:space:]]+\[[\.0-9]+\]: (Connection refused|server refused mail service) +\(port 25\)$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: connect to [^[:space:]]+\[[\.0-9]+\]: server refused to talk to me: [^[:space:]]+ +)?550 (<[^[:space:]]+>: Client host rejected: Blocked|ERROR: Mail Refused - [\.0-9]+ - See [^[:space:]]+|Host [\.0-9]+ is reject as in dynamic reject list \(dynamic\.reject\)) +\(port 25\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: connect to [^[:space:]]+\[[\.0-9]+\]: server refused to talk to me: [^[:space:]]+ +)?550 (<[^[:space:]]+>: Client host rejected: Blocked|[\.0-9]+, Sorry access denied to you|ERROR: Mail Refused - [\.0-9]+ - See [^[:space:]]+|Host [\.0-9]+ is reject as in dynamic reject list \(dynamic\.reject\)) +\(port 25\)$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: connect to [^[:space:]]+\[[\.0-9]+\]: server refused to talk to me: [^[:space:]]+ +)?554 (<[^[:space:]]+>: Client host rejected: Reject Dynamic ip|#5\.5\.4 Relaying denied\. IP name lookup failed) +\(port 25\)$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/qmgr\[[0-9]+\]: [^[:space:]]+: to=<[^>]*>, relay=none, delay=[0-9]+, status=deferred \(delivery temporarily suspended: host [^[:space:]]+\[[\.0-9]+\] refused to talk to me: ([^[:space:]]+ 550 ERROR: Mail Refused - [\.0-9]+ - See http://security.rr.com/mail_blocks.htm\)|550 Host [\.0-9]+ is reject as in dynamic reject list \(dynamic.reject\))$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: [^[:space:]]+: host [^[:space:]]+\[[\.0-9]+\] refused to talk to me: ([^[:space:]]+ 550 ERROR: Mail Refused - [\.0-9]+ - See http://security.rr.com/mail_blocks.htm|550 Host [\.0-9]+ is reject as in dynamic reject list \(dynamic.reject\)|554 <[^[:space:]]+\[[\.0-9]+\]>: Client host rejected: No mail accepted from you)$
@@ -68,9 +68,9 @@
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: NOQUEUE: reject: MAIL from [^[:space:]]+\[[\.0-9]+\]: 552 Message size exceeds fixed limit; proto=ESMTP helo=<[^>]*>$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: reject: RCPT from [^[:space:]]+\[[\.0-9]+\]: 452 Insufficient system storage; from=<[^>]*> to=<[^>]*>$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: warning: Illegal address syntax from [^[:space:]]+\[[\.0-9]+\] in RCPT command: .*
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: warning: smtpd_peer_init: [\.0-9]+: hostname [^[:space:]]+ verification failed: (Name or service not known|Temporary failure in name resolution)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: warning:( smtpd_peer_init:)? [\.0-9]+: hostname [^[:space:]]+ verification failed: (Name or service not known|Temporary failure in name resolution)$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: [^[:space:]]+: reject: (DATA|RCPT) from [^[:space:]]+\[[\.0-9]+\]: [45][0-9]{2}( [^;]+;){1,3} from=<[^>]*>( to=<[^>]*>)? proto=E?SMTP( helo=<[^>]*>)?$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/[[:alnum:]]+\[[0-9]+\]:.* (from|message\-id|to)=<[^>]*(attack|debug|deny|error|expn|refused)[^>]*>.*$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/[[:alnum:]]+\[[0-9]+\]:.* (from|helo|message\-id|to)=<[^>[:space:]]*(attack|debug|deny|error|expn|refused)[^>[:space:]]*>.*$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/[[:alnum:]]+\[[0-9]+\]: warning: no MX host for [^[:space:]]*(attack|debug|deny|error|expn|refused)[^[:space:]]* has a valid A record$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ proftpd\[[0-9]+\]: [^[:space:]]+ \([^[:space:]\[]+\[[\.0-9]+\]\) - USER anonymous \(Login failed\): Can't find user\.$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smbd\[[0-9]+\]:   read(_socket)?_data: (read|recv) failure for [[:digit:]]+\. Error = (No route to host|Connection (reset by peer|timed out)) ?$
diff --git a/logcheck/violations.ignore.d/postfix b/logcheck/violations.ignore.d/postfix
index 5563f7e..af3d90e 100644
--- a/logcheck/violations.ignore.d/postfix
+++ b/logcheck/violations.ignore.d/postfix
@@ -15,7 +15,7 @@
 
 # Too much spam refuse to eat their own shit
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: connect to [^[:space:]]+\[[\.0-9]+\]: (Connection refused|server refused mail service) +\(port 25\)$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: connect to [^[:space:]]+\[[\.0-9]+\]: server refused to talk to me: [^[:space:]]+ +)?550 (<[^[:space:]]+>: Client host rejected: Blocked|ERROR: Mail Refused - [\.0-9]+ - See [^[:space:]]+|Host [\.0-9]+ is reject as in dynamic reject list \(dynamic\.reject\)) +\(port 25\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: connect to [^[:space:]]+\[[\.0-9]+\]: server refused to talk to me: [^[:space:]]+ +)?550 (<[^[:space:]]+>: Client host rejected: Blocked|[\.0-9]+, Sorry access denied to you|ERROR: Mail Refused - [\.0-9]+ - See [^[:space:]]+|Host [\.0-9]+ is reject as in dynamic reject list \(dynamic\.reject\)) +\(port 25\)$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: connect to [^[:space:]]+\[[\.0-9]+\]: server refused to talk to me: [^[:space:]]+ +)?554 (<[^[:space:]]+>: Client host rejected: Reject Dynamic ip|#5\.5\.4 Relaying denied\. IP name lookup failed) +\(port 25\)$
 # Ignore blacklisting due to being dynamic - or without explaining/hinting at all
 ## Grr - could've been a single rule if only logcheck supported custom classes
@@ -29,8 +29,8 @@
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: NOQUEUE: reject: MAIL from [^[:space:]]+\[[\.0-9]+\]: 552 Message size exceeds fixed limit; proto=ESMTP helo=<[^>]*>$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: reject: RCPT from [^[:space:]]+\[[\.0-9]+\]: 452 Insufficient system storage; from=<[^>]*> to=<[^>]*>$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: warning: Illegal address syntax from [^[:space:]]+\[[\.0-9]+\] in RCPT command: .*
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: warning: smtpd_peer_init: [\.0-9]+: hostname [^[:space:]]+ verification failed: (Name or service not known|Temporary failure in name resolution)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: warning:( smtpd_peer_init:)? [\.0-9]+: hostname [^[:space:]]+ verification failed: (Name or service not known|Temporary failure in name resolution)$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: [^[:space:]]+: reject: (DATA|RCPT) from [^[:space:]]+\[[\.0-9]+\]: [45][0-9]{2}( [^;]+;){1,3} from=<[^>]*>( to=<[^>]*>)? proto=E?SMTP( helo=<[^>]*>)?$
 # Suspicious words within email addresses are ok
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/[[:alnum:]]+\[[0-9]+\]:.* (from|message\-id|to)=<[^>]*(attack|debug|deny|error|expn|refused)[^>]*>.*$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/[[:alnum:]]+\[[0-9]+\]:.* (from|helo|message\-id|to)=<[^>[:space:]]*(attack|debug|deny|error|expn|refused)[^>[:space:]]*>.*$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/[[:alnum:]]+\[[0-9]+\]: warning: no MX host for [^[:space:]]*(attack|debug|deny|error|expn|refused)[^[:space:]]* has a valid A record$