csf v6.44
Since the update, script alerts with a sample of the first 10 emails seem to carry false positives.
2014-02-20 07:15:03 cwd=/ 2 args: /usr/sbin/exim -bpu
2014-02-20 07:15:04 1WGDXq-002WrH-7F => user1 <senderATdomain> R=localuser T=local_delivery
2014-02-20 07:15:04 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1WGDXs-002XAv-Ap
2014-02-20 07:15:04 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1WGDXs-002XBM-G6
2014-02-20 07:15:04 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1WGDXs-002XBR-HY
2014-02-20 07:15:04 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1WGDXs-002XBb-KX
2014-02-20 07:15:04 1WGDXs-002XBv-QI <= emailATdomain U=user2 P=local S=4676 id=1392840904-senderATdomain T="Final Clearance Items! 18th Feb to 22nd Feb" for recipientATdomain
2014-02-20 07:15:04 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1WGDXs-002XBv-QI
2014-02-20 07:15:05 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1WGDXs-002XC5-Ru
2014-02-20 07:15:05 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1WGDXt-002XCK-6e
Some alerts have no actual email messages amongst them, only the exim lines.
We've set the new RESTRICT_SYSLOG to 3 and restarted but that hasn't affected these alerts as the behaviour was the same before and after.
What's happening here? Are they bounced messages being retried? This bulk sender regularly operates with this email list and script but this is the first time we're seeing these alerts.
Since update: False positive Sample of the first 10 emails
-
Pioneer Hosting
- Junior Member
- Posts: 4
- Joined: 19 Feb 2014, 19:52
- Location: Australia
- Contact:
-
ForumAdmin
- Moderator
- Posts: 1524
- Joined: 01 Oct 2008, 09:24
Re: Since update: False positive Sample of the first 10 emai
Nothing at all has changed with the LF_SCRIPT_ALERT for a long time. What do you get (including any trailing spaces) for:
as the results you've posted suggest something odd in on of those settings.
Code: Select all
grep HOME /etc/wwwacct.conf-
Pioneer Hosting
- Junior Member
- Posts: 4
- Joined: 19 Feb 2014, 19:52
- Location: Australia
- Contact:
Re: Since update: False positive Sample of the first 10 emai
Thanks for your reply.
root@servername [~]# grep HOME /etc/wwwacct.conf
HOMEDIR /home
HOMEMATCH home
root@servername [~]#
root@servername [~]# grep HOME /etc/wwwacct.conf
HOMEDIR /home
HOMEMATCH home
root@servername [~]#
-
ForumAdmin
- Moderator
- Posts: 1524
- Joined: 01 Oct 2008, 09:24
Re: Since update: False positive Sample of the first 10 emai
I am unable to fathom how you could be seeing that from the LF_SCRIPT_ALERT code. If you could forward a copy of the complete alert email (without any obfuscation or changes) to sales@waytotheweb.com it might help.
-
ForumAdmin
- Moderator
- Posts: 1524
- Joined: 01 Oct 2008, 09:24
Re: Since update: False positive Sample of the first 10 emai
Thank you for the emails. I've tracked down where the problem lies and will work on a fix, hopefully for tomorrow. In the meantime, the path that is reported is correct in the emails, it is the 10 lines of evidence that are clearly dubious. Looks like it's a long standing issue.