From a20d9a455a3e57d1e6ec30e9d8fca40fae7fd72c Mon Sep 17 00:00:00 2001
From: Jonas Smedegaard <dr@jones.dk>
Date: Sat, 5 Aug 2006 08:27:56 +0000
Subject: Ignore more authentication failures. Ignore more spam filtering.

---
 logcheck/violations.ignore.d/amavisd-new |  6 ++----
 logcheck/violations.ignore.d/local       | 15 ++++++++-------
 logcheck/violations.ignore.d/postfix     |  6 +++---
 logcheck/violations.ignore.d/temp        |  4 +++-
 4 files changed, 16 insertions(+), 15 deletions(-)

(limited to 'logcheck')

diff --git a/logcheck/violations.ignore.d/amavisd-new b/logcheck/violations.ignore.d/amavisd-new
index 702f4ba..0a48dc1 100644
--- a/logcheck/violations.ignore.d/amavisd-new
+++ b/logcheck/violations.ignore.d/amavisd-new
@@ -5,8 +5,6 @@
 #^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: \([0-9-]+\) NOTICE: DSN contains BAD HEADER & SPAM; bounce is not bouncable, mail intentionally dropped$
 #^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: \([0-9-]+\) NOTICE: UNABLE TO SEND DSN to <[^[:space:]]*>: 550 5\.1\.0 <[^[:space:]]*>: Recipient address rejected: User unknown in virtual alias table$
 #^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: \([0-9-]+\) mail_via_smtp: 550 5\.1\.0 <[^[:space:]]*>: Recipient address rejected: User unknown in virtual alias table$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: \([0-9-]+\) Blocked SPAM, [0-9-]+ <[^[:space:]]*> -> <[^[:space:]]*>, quarantine: [^[:space:]]+, Message-ID: [^[:space:]]+, mail_id: [^[:space:]]+, Hits: [-\.0-9]+, [0-9]+ ms$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: \([0-9-]+\) INFO: unfolded [0-9]+ illegal all-whitespace continuation lines$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: \([0-9-]+\) Passed BAD-HEADER,( \[[\.0-9]+\])? <[^[:space:]]*> -> <[^[:space:]]*>, Message-ID: [^[:space:]]+, mail_id: [^[:space:]]+, Hits: [-\.0-9]+, [0-9]+ ms$
-# Suspicious words within email addresses are ok
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: .*<[^>[:space:]]*(attack|BAD|debug|deny|error|expn|promisc|refused)[^>[:space:]]*>.*$
+
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: \([0-9-]+\) (Passed BAD-HEADER|Blocked SPAM), \[[0-9-]+\] <[^[:space:]]*> -> <[^[:space:]]*>(, (quarantine|Message-ID|mail_id|Hits|queued_as): [^[:space:]]+)+, [0-9]+ ms$
diff --git a/logcheck/violations.ignore.d/local b/logcheck/violations.ignore.d/local
index 8cfa811..5a1597c 100644
--- a/logcheck/violations.ignore.d/local
+++ b/logcheck/violations.ignore.d/local
@@ -1,7 +1,6 @@
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: \([0-9-]+\) Blocked SPAM, [0-9-]+ <[^[:space:]]*> -> <[^[:space:]]*>, quarantine: [^[:space:]]+, Message-ID: [^[:space:]]+, mail_id: [^[:space:]]+, Hits: [-\.0-9]+, [0-9]+ ms$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: \([0-9-]+\) INFO: unfolded [0-9]+ illegal all-whitespace continuation lines$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: \([0-9-]+\) Passed BAD-HEADER,( \[[\.0-9]+\])? <[^[:space:]]*> -> <[^[:space:]]*>, Message-ID: [^[:space:]]+, mail_id: [^[:space:]]+, Hits: [-\.0-9]+, [0-9]+ ms$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: .*<[^>[:space:]]*(attack|BAD|debug|deny|error|expn|promisc|refused)[^>[:space:]]*>.*$
+
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: \([0-9-]+\) (Passed BAD-HEADER|Blocked SPAM), \[[0-9-]+\] <[^[:space:]]*> -> <[^[:space:]]*>(, (quarantine|Message-ID|mail_id|Hits|queued_as): [^[:space:]]+)+, [0-9]+ ms$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: client [\.0-9]+#[0-9]+: update forwarding denied$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: zone .*: refresh: failure trying master .*: timed out
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dccproc\[[0-9]+\]: continue not asking DCC [0-9]+ seconds after failure$
@@ -44,11 +43,11 @@
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: certificate peer name verification failed for [^[:space:]]+: (CommonName mis-match:.*|[0-9]+ dNSNames in certificate found, but none matches)$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: certificate verification failed for [^[:space:]]+:( num=7:certificate signature failure|( num=10:)?certificate has expired| num=24:invalid CA certificate)$
 
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/qmgr\[[0-9]+\]: [[:xdigit:]]+: (to|relay|delay|delays|dsn)=([^[:space:]]+, )status=deferred \(delivery temporarily suspended: host [^[:space:]]+\[[\.0-9]+\] refused to talk to me: .*$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/qmgr\[[0-9]+\]: [[:xdigit:]]+: ((to|relay|delay|delays|dsn)=[^[:space:]]+, )status=deferred \(delivery temporarily suspended: host [^[:space:]]+\[[\.0-9]+\] refused to talk to me: .*$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: [[:xdigit:]]+: host [^[:space:]]+\[[\.0-9]+\] refused to talk to me: .*$
 
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/[[:alnum:]]+\[[0-9]+\]: [[:xdigit:]]+: ([^[:space:]]+=[^[:space:]]+, )*(from|helo|message\-id|to)=<[^>]*(attack|BAD|debug|denied|deny|error|expn|refused)[^>]*>.*$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/[[:alnum:]]+\[[0-9]+\]: warning: no MX host for [^[:space:]]*(attack|BAD|debug|denied|deny|error|expn|refused)[^[:space:]]* has a valid A record$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/[[:alnum:]]+\[[0-9]+\]: [[:xdigit:]]+: ([^[:space:]]+=[^[:space:]]+, )*(from|helo|message-id|to)=<[^>]*(attack|BAD|debug|denied|deny|error|expn|promisc|refused)[^>]*>.*$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/[[:alnum:]]+\[[0-9]+\]: warning: no MX host for [^[:space:]]*(attack|BAD|debug|denied|deny|error|expn|promisc|refused)[^[:space:]]* has a valid A record$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ proftpd\[[0-9]+\]: [^[:space:]]+ \([^[:space:]\[]+\[[\.0-9]+\]\) - USER anonymous \(Login failed\): Can't find user\.$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smbd\[[0-9]+\]:   read(_socket)?_data: (read|recv) failure for [[:digit:]]+\. Error = (No route to host|Connection (reset by peer|timed out)) ?$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smbd\[[0-9]+\]:   write_socket_data: write failure\. Error = Connection reset by peer ?$
@@ -81,5 +80,7 @@
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ IMP\[[0-9]+\]: FAILED [^[:space:]]+ to [^[:space:]]+:143 as [^[:space:]]+$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ i(map|pop3)d\[[0-9]+\]: (AUTHENTICATE (LOGIN|PLAIN) failure|Login failed)( user=[^[:space:]]*)?( auth=[^[:space:]]*)? host=([^[:space:]]* )?\[[^[:space:]]+\]$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ mod_auth_shadow: VALIDATE: user: [^[:space:]]+, Authentication failure$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: warning: [^[:space:]]+\[[\.0-9]+\]: SASL LOGIN authentication failed: authentication failure$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: warning: SASL authentication failure: Password verification failed$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: warning: [^[:space:]]+\[[\.0-9]+\]: SASL (LOGIN|PLAIN) authentication failed: authentication failure$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ in\.imapproxyd\[[0-9]+\]: LOGIN: '[^[:space:]]+' \([:\.0-9]+\) failed: non-OK server response to LOGIN command$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: \([0-9-]+\) do_executable/do_unzip failed, ignoring: format error: bad signature: 0x00905a4d at offset 0 in file /var/lib/amavis/amavis-[0-9T-]+/parts/part-[0-9]+$
diff --git a/logcheck/violations.ignore.d/postfix b/logcheck/violations.ignore.d/postfix
index 4f9cc32..2f7bebc 100644
--- a/logcheck/violations.ignore.d/postfix
+++ b/logcheck/violations.ignore.d/postfix
@@ -13,9 +13,9 @@
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: certificate verification failed for [^[:space:]]+:( num=7:certificate signature failure|( num=10:)?certificate has expired| num=24:invalid CA certificate)$
 
 # Remote hosts refusing to talk is not a security thread
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/qmgr\[[0-9]+\]: [[:xdigit:]]+: (to|relay|delay|delays|dsn)=([^[:space:]]+, )status=deferred \(delivery temporarily suspended: host [^[:space:]]+\[[\.0-9]+\] refused to talk to me: .*$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/qmgr\[[0-9]+\]: [[:xdigit:]]+: ((to|relay|delay|delays|dsn)=[^[:space:]]+, )status=deferred \(delivery temporarily suspended: host [^[:space:]]+\[[\.0-9]+\] refused to talk to me: .*$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: [[:xdigit:]]+: host [^[:space:]]+\[[\.0-9]+\] refused to talk to me: .*$
 
 # Suspiciously worded hostname or email address is not a security thread
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/[[:alnum:]]+\[[0-9]+\]: [[:xdigit:]]+: ([^[:space:]]+=[^[:space:]]+, )*(from|helo|message\-id|to)=<[^>]*(attack|BAD|debug|denied|deny|error|expn|refused)[^>]*>.*$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/[[:alnum:]]+\[[0-9]+\]: warning: no MX host for [^[:space:]]*(attack|BAD|debug|denied|deny|error|expn|refused)[^[:space:]]* has a valid A record$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/[[:alnum:]]+\[[0-9]+\]: [[:xdigit:]]+: ([^[:space:]]+=[^[:space:]]+, )*(from|helo|message-id|to)=<[^>]*(attack|BAD|debug|denied|deny|error|expn|promisc|refused)[^>]*>.*$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/[[:alnum:]]+\[[0-9]+\]: warning: no MX host for [^[:space:]]*(attack|BAD|debug|denied|deny|error|expn|promisc|refused)[^[:space:]]* has a valid A record$
diff --git a/logcheck/violations.ignore.d/temp b/logcheck/violations.ignore.d/temp
index cda4242..45baa84 100644
--- a/logcheck/violations.ignore.d/temp
+++ b/logcheck/violations.ignore.d/temp
@@ -26,7 +26,9 @@
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ IMP\[[0-9]+\]: FAILED [^[:space:]]+ to [^[:space:]]+:143 as [^[:space:]]+$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ i(map|pop3)d\[[0-9]+\]: (AUTHENTICATE (LOGIN|PLAIN) failure|Login failed)( user=[^[:space:]]*)?( auth=[^[:space:]]*)? host=([^[:space:]]* )?\[[^[:space:]]+\]$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ mod_auth_shadow: VALIDATE: user: [^[:space:]]+, Authentication failure$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: warning: [^[:space:]]+\[[\.0-9]+\]: SASL LOGIN authentication failed: authentication failure$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: warning: SASL authentication failure: Password verification failed$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: warning: [^[:space:]]+\[[\.0-9]+\]: SASL (LOGIN|PLAIN) authentication failed: authentication failure$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ in\.imapproxyd\[[0-9]+\]: LOGIN: '[^[:space:]]+' \([:\.0-9]+\) failed: non-OK server response to LOGIN command$
 # sm@xayide.jones.dk tries aggressively to auto-login
 #^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: \(pam_unix\) (authentication failure|2 more authentication failures); logname= uid=0 euid=0 tty=ssh ruser= rhost=81.19.251.(69|74)  user=sm$
 #^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: error: PAM: Authentication failure for sm from 81.19.251.(69|74)$
-- 
cgit v1.2.3