#!/usr/bin/perl 
##########################################################################
# $Id: mailscanner,v 1.4 2004/06/21 14:59:05 kirk Exp $
##########################################################################

########################################################
# This was written and is maintained by:
#    Mike Tremaine <mgt \@\ stellarcore.net>
#
# Sophos Support and other improvments by Mark W. Nienberg
#
########################################################

while (defined($ThisLine = <STDIN>)) {
   ($QueueID) = ($ThisLine =~ m/^([a-zA-Z0-9]+): / );
   $ThisLine =~ s/^[a-zA-Z0-9]+: //;
   if ( ( $ThisLine =~ m/^Saved infected/ ) or
         ( $ThisLine =~ m/^Expanding TNEF archive/ ) or
         ( $ThisLine =~ m/^Warned about/ ) or
         ( $ThisLine =~ m/^Sender Warnings:/ ) or
         ( $ThisLine =~ m/X-Spam/ ) or
         ( $ThisLine =~ m/Using locktype = flock/ ) or
         ( $ThisLine =~ m/New Batch: Found/ ) or
         ( $ThisLine =~ m/Attempting to disinfect/ ) or
         ( $ThisLine =~ m/Rescan found/ ) or
         ( $ThisLine =~ m/Virus Re-scanning:/ ) or
         ( $ThisLine =~ m/Content Checks: Fixed awkward MIME boundary for Cyrus IMAP/ ) or
         ( $ThisLine =~ m/Delete bayes lockfile/ ) or
         ( $ThisLine =~ m/MailScanner E-Mail Virus Scanner version/ ) or
         ( $ThisLine =~ m/MailScanner child dying of old age/ ) or
         ( $ThisLine =~ m/MailScanner child caught a SIGHUP/ ) or
         ( $ThisLine =~ m/Virus and Content Scanning/ ) or
         ( $ThisLine =~ m/Virus Scanning: [\w]+ found/ ) or
         ( $ThisLine =~ m/Message .+ is spam, Spam/ ) or
         ( $ThisLine =~ m/Saved entire message to/ ) or
         ( $ThisLine =~ m/Spam Checks: Starting/ ) or
         ( $ThisLine =~ m/Spam Actions: message .+ actions are .*deliver/ ) or
         ( $ThisLine =~ m/SophosSAVI .+ recognizing [0-9]+ viruses/ ) or
         ( $ThisLine =~ m/SophosSAVI using [0-9]+ IDE files/ ) or
         ( $ThisLine =~ m/Sophos SAVI library has been updated/ ) or
         ( $ThisLine =~ m/Sophos update of .* detected, resetting SAVI/ ) or
         ( $ThisLine =~ m/Content Checks: Detected and will convert HTML/ ) ) {
      # We don't care about these
   } elsif ( $ThisLine =~ m/New Batch: Scanning ([0-9]+) messages, ([0-9]+) bytes/i) {
      $MailScan_Received = $MailScan_Received + $1;
      $MailScan_bytes = $MailScan_bytes + $2;
   } elsif ( $ThisLine =~ m/New Batch: Forwarding ([0-9]+) unscanned messages, ([0-9]+) bytes/i) {
      $MailScan_Received = $MailScan_Received + $1;
      $MailScan_Unscanned = $MailScan_Unscanned + $1;
      $MailScan_bytes = $MailScan_bytes + $2;
   } elsif ( $ThisLine =~ m/Delivered ([0-9]+)( cleaned)? messages/) {
      $MailScan_Delivered = $MailScan_Delivered + $1;
   } elsif ( $ThisLine =~ m/Spam Checks: Found ([0-9]+) spam messages/) {
      $MailScan_Spam = $MailScan_Spam + $1;
   } elsif ( $ThisLine =~ m/Virus Scanning: Found ([0-9]+) viruses/) {
      $MailScan_Virus = $MailScan_Virus + $1;
   } elsif ( $ThisLine =~ m/infected message .+ came from (.*)/i) {
      $MailScan_VirualHost = $MailScan_VirualHost + 1;
      $Hostlist{$1}++;
   } elsif ( $ThisLine =~ m/Content Checks: Found ([0-9]+) problems/) {
      $MailScan_Content = $MailScan_Content + $1;
   } elsif ( $ThisLine =~ m/Other Checks: Found ([0-9]+) problems/) {
      $MailScan_Other = $MailScan_Other + $1;
   } elsif ($ThisLine =~ m/^\/var\/spool\/MailScanner\/incoming\/.+: ([\w\_\-\.\/]+) FOUND/i) {
      $VirusType_ClamAv{$1}++;
      $MailScan_Virus_ClamAv++;
   } elsif ($ThisLine =~ m/>>> Virus \'(.+)\' found/) {
      $VirusType_Sophos{$1}++;
      $MailScan_Virus_Sophos++;
   } elsif ($ThisLine =~ m/INFECTED:: (.+)::/) {
      $VirusType_SophosSavi{$1}++;
      $MailScan_Virus_SophosSavi++;
   } elsif ($ThisLine =~ m/Content Checks: Detected (.+) in [\w]+/i) {
      $ContentType{$1}++;
   } elsif ($ThisLine =~ m/Filename Checks: (.+)/i) {
      #filter sendmail tag
      my $temp_fc = $1;
      $temp_fc =~ s/\([a-z0-9]{14}\s/\(/i;
      $FilenameType{$temp_fc}++;
   } elsif ($ThisLine =~ m/(Password\-protected archive \(.+\)) in \w+/i) {
      $MailScan_Other = $MailScan_Other + 1;
      $FilenameType{$1}++;
   } elsif ($ThisLine =~ /Spam Actions: .+ actions are .*delete/) {
      $MailScan_Spam_Deleted++;
   } elsif ($ThisLine =~ /SpamAssassin timed out and was killed/) {
      $SA_timeout++;
   } elsif ( $ThisLine =~ m/Message .+ from (.+ \(.+\)) to .+ is spam \(blacklisted\)/ ) {
      $MailScan_Blacklisted++;
      $Blacklisted_Host{$1}++;
   } else {
      chomp($ThisLine);
      # Report any unmatched entries...
      $OtherList{$ThisLine}++; 
   }
}

if ($MailScan_Received > 0) {
   print "\nMailScanner Status:";
   print "\n\t" . $MailScan_Received . ' messages Scanned by MailScanner';
   print "\n\t" . $MailScan_bytes . ' Total Bytes';
}

if ($MailScan_Spam > 0) {
   print "\n\t" . $MailScan_Spam . ' Spam messages detected by MailScanner';
}

if ($MailScan_Unscanned > 0) {
   print "\n\t" . $MailScan_Unscanned . ' Messages forwarded unscanned by MailScanner';
}

if ($MailScan_Spam_Deleted > 0) {
   print "\n\t" . $MailScan_Spam_Deleted . ' Spam messages deleted by Mailscanner';
}

if ($MailScan_Virus > 0) {
   print "\n\t" . $MailScan_Virus . ' Viruses found by MailScanner';
}

if ($MailScan_Other > 0) {
   print "\n\t" . $MailScan_Other . ' Banned attachments found by MailScanner';
}

if ($MailScan_Content > 0) {
   print "\n\t" . $MailScan_Content . ' Content Problems found by MailScanner';
}

if ($MailScan_Delivered > 0) {
   print "\n\t" . $MailScan_Delivered . " Messages delivered by MailScanner\n";
}

if ($SA_timeout > 0) {
   print "\n\t" . $SA_timeout . " SpamAssassin timeout(s)\n";
}

if (keys %VirusType_ClamAv) {
   print "\nVirus Report: (Total Seen = $MailScan_Virus_ClamAv)\n";
   foreach $ThisOne (sort keys %VirusType_ClamAv) {
      print '    ' . $ThisOne . ': ' . $VirusType_ClamAv{$ThisOne} . " Times(s)\n";
   }
}

if (keys %VirusType_Sophos) {
   print "\nSophos Virus Report: (Total Seen = $MailScan_Virus_Sophos)\n";
   foreach $ThisOne (sort keys %VirusType_Sophos) {
      print '    ' . $ThisOne . ': ' . $VirusType_Sophos{$ThisOne} . " Times(s)\n";
   }
}

if (keys %VirusType_SophosSavi) {
   print "\nSophosSavi Virus Report: (Total Seen = $MailScan_Virus_SophosSavi)\n";
   foreach $ThisOne (sort keys %VirusType_SophosSavi) {
   print '    ' . $ThisOne . ': ' . $VirusType_SophosSavi{$ThisOne} . " Times(s)\n";
   }
}

if (keys %Hostlist) {
   print "\nVirus Sender Report: (Total Seen = $MailScan_VirualHost)\n";
   foreach $ThisOne (sort keys %Hostlist) {
      print '    ' . $ThisOne . ': ' . $Hostlist{$ThisOne} . " Times(s)\n";
   }
}

if (keys %Blacklisted_Host) {
   print "\nSpam Blacklisted Host Report: (Total Seen = $MailScan_Blacklisted)\n";
   foreach $ThisOne (sort keys %Blacklisted_Host) {
      print '    ' . $ThisOne . ': ' . $Blacklisted_Host{$ThisOne} . " Times(s)\n";
   }
}

if (keys %ContentType) {
   print "\nContent Report: (Total Seen = $MailScan_Content)\n";
   foreach $ThisOne (sort keys %ContentType) {
      print '    ' . $ThisOne . ': ' . $ContentType{$ThisOne} . " Times(s)\n";
   }
}

if (keys %FilenameType) {
   print "\nFilename Report: (Total Seen = $MailScan_Other)\n";
   foreach $ThisOne (sort keys %FilenameType) {
      print '    ' . $ThisOne . ': ' . $FilenameType{$ThisOne} . " Times(s)\n";
   }
}

if (keys %OtherList) {
   print "\n**Unmatched Entries**\n";
   foreach $line (sort {$OtherList{$b}<=>$OtherList{$a} } keys %OtherList) {
      print "   $line: $OtherList{$line} Time(s)\n";
   }
}

exit(0);

# vi: shiftwidth=3 tabstop=3 et
