From c953a3b73d5f4967ccd60241cd47851cb7a08f73 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Hendrik=20J=C3=A4ger?= <gitcommit@henk.geekmail.org>
Date: Wed, 3 May 2023 23:38:34 +0200
Subject: [PATCH] add rules

---
 files/etc/logcheck/ignore.d.server/local-exim | 44 +++++++++++++++++++
 1 file changed, 44 insertions(+)
 create mode 100644 files/etc/logcheck/ignore.d.server/local-exim

diff --git a/files/etc/logcheck/ignore.d.server/local-exim b/files/etc/logcheck/ignore.d.server/local-exim
new file mode 100644
index 0000000..472f1e1
--- /dev/null
+++ b/files/etc/logcheck/ignore.d.server/local-exim
@@ -0,0 +1,44 @@
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ exim\[[[:digit:]]+\]:( \[1/[[:digit:]]\])?( [[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2} \[[[:digit:]]+\])? [[:alnum:]]{6}-[[:alnum:]]{6}-[[:alnum:]]{2} Antispam_Scoring: Rejected message from [^[:space:]]+ to [^[:space:]]+ via \[[[:xdigit:].:]+\]: rspamd-score is: -![[:digit:].]$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ exim\[[[:digit:]]+\]:( \[1/[[:digit:]]\])?( [[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2} \[[[:digit:]]+\])? [[:alnum:]]{6}-[[:alnum:]]{6}-[[:alnum:]]{2} Antispam_Scoring: Summarized score is -?[[:digit:]]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ exim\[[[:digit:]]+\]:( \[1/[[:digit:]]\])?( [[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2} \[[[:digit:]]+\])? [[:alnum:]]{6}-[[:alnum:]]{6}-[[:alnum:]]{2} Antispam_Tarpit: Delaying connection after DATA for [^[:space:]]+ in MAIL FROM [^[:space:]]+ for -?[[:digit:]]s due to domain score factor: [[:digit:]-]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ exim\[[[:digit:]]+\]:( \[1/[[:digit:]]\])?( [[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2} \[[[:digit:]]+\])? [[:alnum:]]{6}-[[:alnum:]]{6}-[[:alnum:]]{2} Antispam_Tarpit: Delaying connection after DATA for [^[:space:]]+ in MAIL FROM [^[:space:]]+ for -?[[:digit:]]s due to inconsistent setup: [[:digit:]-]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ exim\[[[:digit:]]+\]:( \[1/[[:digit:]]\])?( [[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2} \[[[:digit:]]+\])? [[:alnum:]]{6}-[[:alnum:]]{6}-[[:alnum:]]{2} Antispam_Tarpit: Delaying connection after DATA for [^[:space:]]+ in MAIL FROM [^[:space:]]+ for -?[[:digit:]]s due to IP DNSBL score: [[:digit:]-]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ exim\[[[:digit:]]+\]:( \[1/[[:digit:]]\])?( [[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2} \[[[:digit:]]+\])? [[:alnum:]]{6}-[[:alnum:]]{6}-[[:alnum:]]{2} Antispam_Tarpit: Delaying connection after DATA for [^[:space:]]+ in MAIL FROM [^[:space:]]+ for -?[[:digit:]]s due to rspamd score: [[:digit:]-]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ exim\[[[:digit:]]+\]:( \[1/[[:digit:]]\])?( [[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2} \[[[:digit:]]+\])? [[:alnum:]]{6}-[[:alnum:]]{6}-[[:alnum:]]{2} Antispam_Tarpit: Delaying connection after DATA for [^[:space:]]+ in MAIL FROM [^[:space:]]+ for -?[[:digit:]]s due to spamassassin score: [[:digit:]-]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ exim\[[[:digit:]]+\]:( \[1/[[:digit:]]\])?( [[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2} \[[[:digit:]]+\])? [[:alnum:]]{6}-[[:alnum:]]{6}-[[:alnum:]]{2} Completed$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ exim\[[[:digit:]]+\]:( \[1/[[:digit:]]\])?( [[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2} \[[[:digit:]]+\])? [[:alnum:]]{6}-[[:alnum:]]{6}-[[:alnum:]]{2} <= [^[:digit:]]+ H=[^[:digit:]]+ \[[[:xdigit:].:]+\]:[[:digit:]]+ I=\[[[:xdigit:].:]+\]:[[:digit:]]+ P=esmtps X=[^[:space:]]+ CV=no S=[[:digit:]]+ DKIM=[^[:space:]]+ id=[^[:space:]]+ from <[^[:space:]]+> for [^[:space:]]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ exim\[[[:digit:]]+\]:( \[1/[[:digit:]]\])?( [[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2} \[[[:digit:]]+\])? [[:alnum:]]{6}-[[:alnum:]]{6}-[[:alnum:]]{2} <= [^[:space:]]+ H=[^[:space:]]+ \[[[:xdigit:].:]+\]:[[:digit:]]+ I=\[[[:xdigit:].:]+\]:[[:digit:]]+ P=esmtp S=[[:digit:]]+ id=[^[:space:]]+ from <[^[:space:]]+> for [^[:space:]]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ exim\[[[:digit:]]+\]:( \[1/[[:digit:]]\])?( [[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2} \[[[:digit:]]+\])? [[:alnum:]]{6}-[[:alnum:]]{6}-[[:alnum:]]{2} X-hnjs-domain-score: [[:digit:]]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ exim\[[[:digit:]]+\]:( \[1/[[:digit:]]\])?( [[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2} \[[[:digit:]]+\])? [[:alnum:]]{6}-[[:alnum:]]{6}-[[:alnum:]]{2} X-hnjs-inconsistency-score: [[:digit:]]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ exim\[[[:digit:]]+\]:( \[1/[[:digit:]]\])?( [[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2} \[[[:digit:]]+\])? [[:alnum:]]{6}-[[:alnum:]]{6}-[[:alnum:]]{2} X-hnjs-ip-score: [[:digit:]]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ exim\[[[:digit:]]+\]:( \[1/[[:digit:]]\])?( [[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2} \[[[:digit:]]+\])? [[:alnum:]]{6}-[[:alnum:]]{6}-[[:alnum:]]{2} X-hnjs-rSpam_bar: [/+-]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ exim\[[[:digit:]]+\]:( \[1/[[:digit:]]\])?( [[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2} \[[[:digit:]]+\])? [[:alnum:]]{6}-[[:alnum:]]{6}-[[:alnum:]]{2} X-hnjs-rSpam_report: .*$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ exim\[[[:digit:]]+\]:( \[1/[[:digit:]]\])?( [[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2} \[[[:digit:]]+\])? [[:alnum:]]{6}-[[:alnum:]]{6}-[[:alnum:]]{2} X-hnjs-rSpam_score: -?[[:digit:].]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ exim\[[[:digit:]]+\]:( \[1/[[:digit:]]\])?( [[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2} \[[[:digit:]]+\])? [[:alnum:]]{6}-[[:alnum:]]{6}-[[:alnum:]]{2} X-hnjs-rSpam_score_int: -?[[:digit:].]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ exim\[[[:digit:]]+\]:( \[1/[[:digit:]]\])?( [[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2} \[[[:digit:]]+\])? [[:alnum:]]{6}-[[:alnum:]]{6}-[[:alnum:]]{2} X-hnjs-Spam_bar: [/+-]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ exim\[[[:digit:]]+\]:( \[1/[[:digit:]]\])?( [[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2} \[[[:digit:]]+\])? [[:alnum:]]{6}-[[:alnum:]]{6}-[[:alnum:]]{2} X-hnjs-Spam_score: -?[[:digit:].]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ exim\[[[:digit:]]+\]:( \[1/[[:digit:]]\])?( [[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2} \[[[:digit:]]+\])? [[:alnum:]]{6}-[[:alnum:]]{6}-[[:alnum:]]{2} X-hnjs-Spam_score_int: -?[[:digit:].]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ exim\[[[:digit:]]+\]:( \[1/[[:digit:]]\])?( [[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2} \[[[:digit:]]+\])? Antispam_Blacklists: IP \[[[:xdigit:].:]+\] is blacklisted at .*$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ exim\[[[:digit:]]+\]:( \[1/[[:digit:]]\])?( [[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2} \[[[:digit:]]+\])? Antispam_Check: reverse DNS host lookup failed$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ exim\[[[:digit:]]+\]:( \[1/[[:digit:]]\])?( [[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2} \[[[:digit:]]+\])? Antispam_Tarpit: Delaying connection after connect from IP \[[[:xdigit:].:]+\] for [[:digit:]]+s due to inconsistent setup: [[:digit:]]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ exim\[[[:digit:]]+\]:( \[1/[[:digit:]]\])?( [[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2} \[[[:digit:]]+\])? Antispam_Tarpit: Delaying connection after connect from IP \[[[:xdigit:].:]+\] for [[:digit:]]+s due to IP DNSBL score: [[:digit:]]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ exim\[[[:digit:]]+\]:( \[1/[[:digit:]]\])?( [[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2} \[[[:digit:]]+\])? Antispam_Tarpit: Delaying connection after HELO [^[:space:]]+ from IP \[[[:xdigit:].:]+\] for [[:digit:]]+s due to inconsistent setup: [[:digit:]]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ exim\[[[:digit:]]+\]:( \[1/[[:digit:]]\])?( [[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2} \[[[:digit:]]+\])? Antispam_Tarpit: Delaying connection after HELO [^[:space:]]+ from IP \[[[:xdigit:].:]+\] for [[:digit:]]+s due to IP DNSBL score: [[:digit:]]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ exim\[[[:digit:]]+\]:( \[1/[[:digit:]]\])?( [[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2} \[[[:digit:]]+\])? Antispam_Tarpit: Delaying connection after MAIL FROM [^[:space:]]+ for [[:digit:]]+s due to domain score factor: [[:digit:]]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ exim\[[[:digit:]]+\]:( \[1/[[:digit:]]\])?( [[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2} \[[[:digit:]]+\])? Antispam_Tarpit: Delaying connection after MAIL FROM [^[:space:]]+ for [[:digit:]]+s due to inconsistent setup: [[:digit:]]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ exim\[[[:digit:]]+\]:( \[1/[[:digit:]]\])?( [[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2} \[[[:digit:]]+\])? Antispam_Tarpit: Delaying connection after MAIL FROM [^[:space:]]+ for [[:digit:]]+s due to IP DNSBL score: [[:digit:]]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ exim\[[[:digit:]]+\]:( \[1/[[:digit:]]\])?( [[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2} \[[[:digit:]]+\])? Antispam_Tarpit: Delaying connection after RCPT TO [^[:space:]]+ for MAIL FROM [^[:space:]]+ for [[:digit:]-]s due to domain score factor: [[:digit:]-]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ exim\[[[:digit:]]+\]:( \[1/[[:digit:]]\])?( [[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2} \[[[:digit:]]+\])? Antispam_Tarpit: Delaying connection after RCPT TO [^[:space:]]+ for MAIL FROM [^[:space:]]+ for [[:digit:]-]s due to inconsistent setup: [[:digit:]-]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ exim\[[[:digit:]]+\]:( \[1/[[:digit:]]\])?( [[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2} \[[[:digit:]]+\])? Antispam_Tarpit: Delaying connection after RCPT TO [^[:space:]]+ for MAIL FROM [^[:space:]]+ for [[:digit:]-]s due to IP DNSBL score: [[:digit:]-]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ exim\[[[:digit:]]+\]:( \[1/[[:digit:]]\])?( [[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2} \[[[:digit:]]+\])? Antispam_Whitelists: IP \[[[:xdigit:].:]+\] is whitelisted at .*$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ exim\[[[:digit:]]+\]:( \[1/[[:digit:]]\])?( [[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2} \[[[:digit:]]+\])? Connection closed without quit after message from [^[:space:]]+ to @ via \[[[:xdigit:].:]+\]: connection-lost$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ exim\[[[:digit:]]+\]:( \[1/[[:digit:]]\])?( [[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2} \[[[:digit:]]+\])? End queue run: pid=[[:digit:]]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ exim\[[[:digit:]]+\]:( \[1/[[:digit:]]\])?( [[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2} \[[[:digit:]]+\])? exim [[:digit:].]+ daemon started: pid=[[:digit:].]+, -q30m, listening for SMTP on port 25 \(IPv6 and IPv4\) port 587 \(IPv6 and IPv4\) and for SMTPS on port 465 \(IPv6 and IPv4\)$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ exim\[[[:digit:]]+\]:( \[1/[[:digit:]]\])?( [[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2} \[[[:digit:]]+\])? no host name found for IP address [[:xdigit:].:]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ exim\[[[:digit:]]+\]:( \[1/[[:digit:]]\])?( [[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2} \[[[:digit:]]+\])? no MAIL in SMTP connection from [^[:space:]]+ ([^[:space:]]+) \[[[:xdigit:].:]+\]:[[:digit:]]+ I=\[[[:xdigit:].:]+\]:[[:digit:]]+ D=[[:digit:]]+s( X=[^[:space:]]+ CV=no)?( C=(EHLO,STARTTLS,)?EHLO,QUIT)?$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ exim\[[[:digit:]]+\]:( \[1/[[:digit:]]\])?( [[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2} \[[[:digit:]]+\])? no MAIL in SMTP connection from \[[[:xdigit:].:]+\]:[[:digit:]]+ I=\[[[:xdigit:].:]+\]:[[:digit:]]+ D=[[:digit:]]+s$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ exim\[[[:digit:]]+\]:( \[1/[[:digit:]]\])?( [[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2} \[[[:digit:]]+\])? SMTP connection from [^[:space:]]+ \([^[:space:]]+\) \[[[:xdigit:].:]+\]:[[:digit:]]+ I=\[[[:xdigit:].:]+\]:[[:digit:]]+ closed by QUIT$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ exim\[[[:digit:]]+\]:( \[1/[[:digit:]]\])?( [[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2} \[[[:digit:]]+\])? SMTP connection from \[[[:xdigit:].:-]+\]:[[:digit:]]+ I=\[[[:xdigit:].:]+\]:[[:digit:]]+ lost D=[[:digit:]]+s$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ exim\[[[:digit:]]+\]:( \[1/[[:digit:]]\])?( [[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2} \[[[:digit:]]+\])? SMTP connection from \[[[:xdigit:].:]+\]:[[:digit:]]+ I=\[[[:xdigit:].:]+\]:[[:digit:]]+ \(TCP/IP connection count = [[:digit:]]+\)$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ exim\[[[:digit:]]+\]:( \[1/[[:digit:]]\])?( [[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2} \[[[:digit:]]+\])? Start queue run: pid=[[:digit:]]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ exim\[[[:digit:]]+\]: \[[2-9]/[[:digit:]]+\] .*$
-- 
2.39.2