Re: [cobalt-users] RaQ4 - list.cobalt.com relaying through our server?

["Steve Werby" <steve-lists@xxxxxxxxxxxx>]

"Greg O'Lone" <greg@xxxxxxxxxxxxxxxx> wrote:
> Recently been getting relay warnings from my box about
> list.cobalt.com....but if I block it I can't subscribe to the list. Any
> ideas?
>
> Here is what logsentry sent me:
>
> Security Violations
> =-=-=-=-=-=-=-=-=-=
> Dec 20 19:47:12 www sendmail[12125]: gBL0lC012125:
> from=<cobalt-users-admin@xxxxxxxxxxxxxxx>, size=4751, class=-60,
> nrcpts=1, msgid=<>, proto=ESMTP,
> daemon=MTA, relay=list.cobalt.com [12.40.201.23]

Greg, it appeared in your LogSentry report because it matched the string
"bad" ("badboy" in msgid).  Meaningless matches are quite common since
LogSentry simply checks for text patterns that match those listed in a
couple of files (logcheck.hacking and logcheck.violations), ignoring
patterns listed in the 2 *.ignore files.

[root logsentry-1.1.1]# grep -i "bad" logcheck.violations
BAD

So this pattern will report a login by a user "sinbad" and a msgid with
string "badboy" as well as legitimate error codes with the word "bad" in
them.  Read the LogSentry docs (INSTALL, README.* files in source distro.)
and inspect the 4 files I mentioned above and you'll understand what's being
reported to you, why and how you can change what is or isn't reported.  If
you haven't modified these files and you look at your LogSentry reports
closely you'll probably notice that a good chunk of each report is filled
with log records that have little to do with security and do nothing, but
make the report longer and more time consuming to read through.  That's not
a swipe at LogSentry, just a sign that LogSentry and many other programs
need to be tweaked to meet your needs.

HTH,

--
Steve Werby
President, Befriend Internet Services LLC
http://www.befriend.com/