# Copyright (c) 2010 Flowerfire, Inc.  All Rights Reserved.
ironmail_spam = {

  plugin_version = "2.0.1"

  # 2006-04-11: v2.0: added support for a new variant; added esp_total_points; added source_ip; added message_id -GMF
  # 13:23 15/12/2006: v2.0.1: gas: added support for getting IP from RBL lines where External IP lines are not available

  # The name of the log format
  log.format.format_label = "Ironmail Spam Log Format"
  log.miscellaneous.log_data_type = "SPAM"  
  log.miscellaneous.log_format_type = "mail_server"

  # e.g. Channel127::1153513:03282006 00:00:16:Sub feature list for the Message ID: <1153513> is [10, 11, 9, 1, 2, 3, 5, 6]

  # The log is in this format if any of the first ten lines match this regular expression
  log.format.autodetect_expression = `
matches_regular_expression(volatile.log_data_line, "^SPAMQ:[0-9]* [0-9:]*Starting Spin Run #[0-9]*$") or

# e.g. Channel127::1153513:03282006 00:00:16:Sub feature list for the Message ID: <1153513> is [10, 11, 9, 1, 2, 3, 5, 6]
matches_regular_expression(volatile.log_data_line, "^[^:]*:[^:]*:[0-9]*:[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9] [0-9][0-9]:[0-9][0-9]:[0-9][0-9]:");
`

  # Accept collected entries after they're not used for 1000 lines
  log.format.collected_entry_lifespan = 1000
  log.format.discard_expired_entries = false

  # All log field parsing will be done using the parsing filters
  log.format.parse_only_with_filters = "true"

  # The format of dates and times in this log
  log.format.date_format = "mmddyyyy"

  # Log fields
  log.fields = {

    date = ""
    time = ""
    type = ""
    source_ip.type = "host"
    message_id = ""

    spam_messages = ""
    esp_total_points = ""

  } # log.fields


  #          
  # Log Parsing Filters
  log.parsing_filters.parse = `

v.message = "";
if (matches_regular_expression(current_log_line(), '^[0-9]*:([0-9]*):[0-9]*[-:]([0-9]*) ([0-9]*:[0-9]*:[0-9]*):*(.*)$')) then (
  v.key = $1;
  set_collected_field(v.key, 'message_id', v.key);
  set_collected_field(v.key, 'date', $2);
  set_collected_field(v.key, 'time', $3);
  v.message = $4;
);

# Handle alternate format, e.g.:
# Channel127::1153513:03282006 00:00:21:** Part scan begin for part <0>
else if (matches_regular_expression(current_log_line(), '^[^:]*:[^:]*:([0-9]*):([0-9]*) ([0-9][0-9]:[0-9][0-9]:[0-9][0-9]):(.*)$')) then (
  v.key = $1;
  set_collected_field(v.key, 'message_id', v.key);
  set_collected_field(v.key, 'date', $2);
  set_collected_field(v.key, 'time', $3);
  v.message = $4;
);

# Handle ESP total points lines, e.g.:
# Channel136::1156926:03282006 11:54:46:ESP total points: 35 for Message ID: <1156926>.
if (matches_regular_expression(v.message, '^ESP total points: ([0-9]+) ')) then (
  set_collected_field(v.key, 'esp_total_points', $1);
);

# Handle external IP lines, e.g.:
# Channel138::1153514:03282006 00:01:05:External IP(s) retrieved from received headers for Message ID: <1113513> are <'53.53.32.169'>.
else if (matches_regular_expression(v.message, "External IP\\\\(s\\\\) retrieved from received headers for Message ID: <[0-9]+> are <'([^>]*)'>.")) then (
  set_collected_field(v.key, 'source_ip', $1);
);

# add: v2.0.1: gas
# Handle RBL lookup lines to get IP, where External IP lines are not available, e.g.:
# Channel75::4103073:12072006 00:13:13:RBL: ipaddress 76.19.153.157 is in rbl list maintained by bl.spamcop.net
else if (matches_regular_expression(v.message, "RBL: ipaddress ([^ ]+) is")) then (
  set_collected_field(v.key, 'source_ip', $1);
);

# Handle "this message is spam" lines
else if (matches_regular_expression(v.message, '^This message is spam\\\\. Detected by ESP\\\\.')) then (
  set_collected_field(v.key, 'type', 'spam');
  set_collected_field(v.key, 'spam_messages', 1);
  accept_collected_entry(v.key, false);
);

`


  # Database fields
  database.fields = {

    date_time = ""
    hour_of_day = ""
    day_of_week = ""
    type = ""
    source_ip = ""
    location = ""
    message_id = ""
    esp_total_points = ""

  } # database.fields

  database.numerical_fields = {

    # commented out because messages is redundant, because all messages are spam messages -GMF
#    messages = {
#      default = true
#      requires_log_field = false
#      entries_field = true
#    } # messages

    spam_messages = ""

  } # database.numerical_fields


  # Commented out because commented out messages, above
#  log.filters = {
#
#    mark_entry = {
#      label = '$lang_admin.log_filters.mark_entry_label'
#      comment = '$lang_admin.log_filters.mark_entry_comment'
#      value = 'messages = 1;'
#    } # mark_entry
#
#  } # log.filters

  create_profile_wizard_options = {

    # How the reports should be grouped in the report menu
    report_groups = {
      type = ""
      source_ip = ""
      location = ""
      message_id = ""
    } # report_groups

  } # create_profile_wizard_options

} # ironmail_spam