ConfigServer Community Forum

Peer support forums for ConfigServer Scripts
https://mail.forum.configserver.com/

Since update: False positive Sample of the first 10 emails

https://mail.forum.configserver.com/viewtopic.php?t=7501

Page 1 of 1

Since update: False positive Sample of the first 10 emails

Posted: 19 Feb 2014, 21:13
by Pioneer Hosting
csf v6.44

Since the update, script alerts with a sample of the first 10 emails seem to carry false positives.

2014-02-20 07:15:03 cwd=/ 2 args: /usr/sbin/exim -bpu
2014-02-20 07:15:04 1WGDXq-002WrH-7F => user1 <senderATdomain> R=localuser T=local_delivery
2014-02-20 07:15:04 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1WGDXs-002XAv-Ap
2014-02-20 07:15:04 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1WGDXs-002XBM-G6
2014-02-20 07:15:04 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1WGDXs-002XBR-HY
2014-02-20 07:15:04 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1WGDXs-002XBb-KX
2014-02-20 07:15:04 1WGDXs-002XBv-QI <= emailATdomain U=user2 P=local S=4676 id=1392840904-senderATdomain T="Final Clearance Items! 18th Feb to 22nd Feb" for recipientATdomain
2014-02-20 07:15:04 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1WGDXs-002XBv-QI
2014-02-20 07:15:05 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1WGDXs-002XC5-Ru
2014-02-20 07:15:05 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1WGDXt-002XCK-6e

Some alerts have no actual email messages amongst them, only the exim lines.

We've set the new RESTRICT_SYSLOG to 3 and restarted but that hasn't affected these alerts as the behaviour was the same before and after.

What's happening here? Are they bounced messages being retried? This bulk sender regularly operates with this email list and script but this is the first time we're seeing these alerts.

Re: Since update: False positive Sample of the first 10 emai

Posted: 19 Feb 2014, 21:42
by ForumAdmin
Nothing at all has changed with the LF_SCRIPT_ALERT for a long time. What do you get (including any trailing spaces) for:

Code: Select all

grep HOME /etc/wwwacct.conf
as the results you've posted suggest something odd in on of those settings.

Re: Since update: False positive Sample of the first 10 emai

Posted: 19 Feb 2014, 21:47
by Pioneer Hosting
Thanks for your reply.

root@servername [~]# grep HOME /etc/wwwacct.conf
HOMEDIR /home
HOMEMATCH home
root@servername [~]#

Re: Since update: False positive Sample of the first 10 emai

Posted: 19 Feb 2014, 22:03
by ForumAdmin
I am unable to fathom how you could be seeing that from the LF_SCRIPT_ALERT code. If you could forward a copy of the complete alert email (without any obfuscation or changes) to sales@waytotheweb.com it might help.

Re: Since update: False positive Sample of the first 10 emai

Posted: 19 Feb 2014, 22:20
by ForumAdmin
Thank you for the emails. I've tracked down where the problem lies and will work on a fix, hopefully for tomorrow. In the meantime, the path that is reported is correct in the emails, it is the 10 lines of evidence that are clearly dubious. Looks like it's a long standing issue.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited