[Avcheck] Can avcheck report the IP address of the client?
Michael Tokarev
mjt@tls.msk.ru
Thu, 02 May 2002 16:52:32 +0400
[Note the Cc set to postfix-users]
Ralf Hildebrandt wrote:
>
> Can avcheck report the IP address of the client in the log?
> I don't even know if Postfix's pipe transport can provide the info to
> the avcheck binary, but it's surely useful.
No, postfix does not *store* client's IP address in queue file.
Here is a code fragment from my honeypot handler:
IP=`sed -n \
-e 's/^Received: from.* \[\([0-9]*\.[0-9]*\.[0-9]*\.[0-9]*\)\])$/\1/p' \
-e '/^Received: /q' \
$MAIL`
This matches the following (from your message as seen here):
[Return-Path or some other header(s) may be here]
Received: from mail.corpit.ru (mail.corpit.ru [217.23.134.198])
by mail.tls.msk.ru (Postfix) with ESMTP id 86E878C2D
for <mjt@paltus.tls.msk.ru>; Thu, 2 May 2002 12:05:26 +0400 (MSD)
(envelope-from avcheck-admin@list.corpit.ru)
This will not work with locally generated mails (e.g. sent by
/usr/sbin/sendmail). And this *may* work with qmqpd-submitted
mails, or may be not.
Here are more variants. Double bounce:
Received: by mail.corpit.ru (Postfix)
id 2B6AA380E; Thu, 2 May 2002 16:40:42 +0400 (MSD)
Locally-submitted mail (/usr/sbin/sendmail interface, Received
by pickup):
Received: by mail.tls.msk.ru (Postfix, from userid 101)
id DB2DB8C2D; Thu, 2 May 2002 16:45:09 +0400 (MSD)
The following comand may work:
FROM=`sed -n \
-e 's/^Received: from.* \[\([0-9]*\.[0-9]*\.[0-9]*\.[0-9]*\)\])$/ from IP \1/p' \
-e 's/^Received: by.* (Postfix)$/ from internal/p' \
-e 's/^Received: by.* (Postfix,\( from userid [0-9]*\))$/\1/p' \
-e '/^Received: /q' \
$MAIL`
(note extra spaces). qmqpd case still missing.
> Why:
>
> * recent viruses forge sender addresses, one can only rely on the
> client's IP address.
>
> * it's tedious to find the client's IP in the log
With the above, one may use "$FROM" in log line. Like:
logger .. "infected by $MSG;$FROM from=$SENDER to=$*"
Regards,
Michael.