[Avcheck] Can avcheck report the IP address of the client?
Ralf Hildebrandt
Ralf.Hildebrandt@charite.de
Thu, 2 May 2002 14:54:53 +0200
On Thu, May 02, 2002 at 04:52:32PM +0400, Michael Tokarev wrote:
> No, postfix does not *store* client's IP address in queue file.
I noticed. "man pipe" is my friend.
> Here is a code fragment from my honeypot handler:
>
> IP=`sed -n \
> -e 's/^Received: from.* \[\([0-9]*\.[0-9]*\.[0-9]*\.[0-9]*\)\])$/\1/p' \
> -e '/^Received: /q' \
> $MAIL`
>
> This matches the following (from your message as seen here):
>
> [Return-Path or some other header(s) may be here]
> Received: from mail.corpit.ru (mail.corpit.ru [217.23.134.198])
> by mail.tls.msk.ru (Postfix) with ESMTP id 86E878C2D
> for <mjt@paltus.tls.msk.ru>; Thu, 2 May 2002 12:05:26 +0400 (MSD)
> (envelope-from avcheck-admin@list.corpit.ru)
This is totally sufficient.
> With the above, one may use "$FROM" in log line. Like:
>
> logger .. "infected by $MSG;$FROM from=$SENDER to=$*"
Yep.
--
Ralf Hildebrandt (Im Auftrag des Referat V A) Ralf.Hildebrandt@charite.de
Charite Campus Virchow-Klinikum Tel. +49 (0)30-450 570-155
Referat V A - Kommunikationsnetze - Fax. +49 (0)30-450 570-916
May's Law: The quality of correlation is inversely proportional to the
density of control. (The fewer data points, the smoother the curves.)