Bug#319547: [Logcheck-devel] Bug#319547: Legitime email addresses causes (false) "Security Events"
Rainer Zocholl
UseNet-Posting-Nospam-74308- at zocki.toppoint.de
Sun Jul 24 11:11:00 UTC 2005
debian at sternwelten.at(maximilian attems) 23.07.05 17:48
>On Sat, 23 Jul 2005, Rainer Zocholl wrote:
>>>from time to time i get such (false) "Security Event".
>>
>> Seems to become common practice :-(
>>
>> Again an "security event", i assume "promiscuous" in msgid
>> triggered.
>>
>> Jul 23 14:46:26 host sm-mta[25759]: j6NCkQTS025759:
>> from=<maldivedahomeyretort at mauimail.com>, size=16186, class=0,
>> nrcpts=1, msgid=<perchance4123456.benz at promiscuous.17.parlance.net>,
>> proto=ESMTP, daemon=MTA, relay=...
>what's that strange sm-mta thing?
That's a normal sendmail...
sm-mta: "Send Mail - Mail Transport Agent"
/etc/logcheck/ignore.d.server/sendmail:
...
(sendmail|sm-(mta|msp|que))\[[0-9]+\]: .*: from=
...
(rule not truncated!)
>it doesn't appear to be a debian package:
>apt-cache search sm-mta doesn't return anything nor
>packages.debian.org
it's part of sendmail.
Package: sendmail
Version: 8.13.4-3
>sorry in that case you have to craft your own rules in local-sm-mta
>inside of violations.ignore.d.
>guess we can close that "bug" unless other evidence appears.
No, most other such message are suppressed(see rule above)
Only if the addresse, message IDs etc. contians
"violation trigger words" a -false- security event is generated.
That would allow a third party to generate any amount of false
security events or annoy the postmaster with false positives.
I assume that will be a possible problem with exim, postfix MTA too,
as long as logcheck scan these logs.
Maybe it should be assigned as a sendmail bug?
The current (local) sendmail rules
:/etc/logcheck/violations.ignore.d# cat sendmail
(sendmail|sm-(mta|msp|que))\[[0-9]+\]: could not find auxprop plugin, was searching for 'saslauthd'
(sendmail|sm-(mta|msp|que))\[[0-9]+\]: could not find auxprop plugin, was searching for 'sasldb'
(sendmail|sm-(mta|msp|que))\[[0-9]+\]: could not find auxprop plugin, was searching for sasldb
(sendmail|sm-(mta|msp|que))\[[0-9]+\]: alias database .* rebuilt
(sendmail|sm-(mta|msp|que))\[[0-9]+\]: .*stat=(Refused|Deferred)
(sendmail|sm-(mta|msp|que))\[[0-9]+\]: gethostbyaddr\(.*\) failed:
(sendmail|sm-(mta|msp|que))\[[0-9]+\]: rejecting connections on daemon
(sendmail|sm-(mta|msp|que))\[[0-9]+\]: DIGEST-MD5: failed .* later in exchange
(sendmail|sm-(mta|msp|que))\[[0-9]+\]: .*reject=450 4\.7\.1 <[^>]+>... Relaying temporarily denied. Cannot resolve PTR record for [0-9\.]+$
(sendmail|sm-(mta|msp|que))\[[0-9]+\]: .*reject=451 4\.1\.8 Domain of sender address [^]+ does not resolve$
(sendmail|sm-(mta|msp|que))\[[0-9]+\]: .*reject=550 5\.7\.1 Access denied$
(sendmail|sm-(mta|msp|que))\[[0-9]+\]: .*reject=550 5\.7\.1 <[^>]+>... Relaying denied. Proper authentication required.$
(sendmail|sm-(mta|msp|que))\[[0-9]+\]: .*reject=550 5\.7\.1 <[^>]+>... Relaying denied. IP name lookup failed \[[0-9\.]+\]$
(sendmail|sm-(mta|msp|que))\[[0-9]+\]: .*reject=550 5\.7\.1 <[^>]+>... Relaying denied. IP name lookup possibly forged \[[0-9\.]+\]$
(sendmail|sm-(mta|msp|que))\[[0-9]+\]: .*reject=553 5\.1\.8 <[^>]+>... Relaying temporarily denied. Cannot resolve PTR record for [0-9\.]+$
Rainer
More information about the Logcheck-devel
mailing list