[Avcheck] Can avcheck report the IP address of the client?

[Ralf Hildebrandt]

On Thu, May 02, 2002 at 04:52:32PM +0400, Michael Tokarev wrote:

> No, postfix does not *store* client's IP address in queue file.

I noticed. "man pipe" is my friend.

> Here is a code fragment from my honeypot handler:
> 
> IP=`sed -n \
>      -e 's/^Received: from.* \[\([0-9]*\.[0-9]*\.[0-9]*\.[0-9]*\)\])$/\1/p' \
>      -e '/^Received: /q' \
>     $MAIL`
> 
> This matches the following (from your message as seen here):
> 
> [Return-Path or some other header(s) may be here]
> Received: from mail.corpit.ru (mail.corpit.ru [217.23.134.198])
>         by mail.tls.msk.ru (Postfix) with ESMTP id 86E878C2D
>         for <mjt@paltus.tls.msk.ru>; Thu,  2 May 2002 12:05:26 +0400 (MSD)
>         (envelope-from avcheck-admin@list.corpit.ru)

This is totally sufficient.

> With the above, one may use "$FROM" in log line.  Like:
> 
>  logger .. "infected by $MSG;$FROM from=$SENDER to=$*"

Yep.

-- 
Ralf Hildebrandt (Im Auftrag des Referat V A)   Ralf.Hildebrandt@charite.de
Charite Campus Virchow-Klinikum                 Tel.  +49 (0)30-450 570-155
Referat V A - Kommunikationsnetze -             Fax.  +49 (0)30-450 570-916
May's Law: The quality of correlation is inversely proportional to the
density of control. (The fewer data points, the smoother the curves.)