On Fri, 24 Nov 2006, Mark Martinec wrote:
> - somehow determine the SMTP client's IP address following SA mechanisms
> on trusted/internal etc settings and parsed Received header fields.
> (can't help there, ask on SA list if necessary)
> This should be an IP address of the remote host which connected
> to our MX host on which p0f and p0f-analyzer.pl must be running.
>
> - query p0f-analyzer.pl process by using my example code in:
> http://marc.theaimsgroup.com/?l=postfix-users&m=116312480114045
> http://marc.theaimsgroup.com/?l=spamassassin-users&m=116406420110311
>
A crude p0f SA plugin,untested :)
package P0f;
use Mail::SpamAssassin::Plugin;
use Mail::SpamAssassin::Logger;
use IO::Socket::INET;
use Time::HiRes;
use strict;
use warnings;
use bytes;
use vars qw(@ISA);
@ISA = qw(Mail::SpamAssassin::Plugin);
my $p0f_service = q{inet:mx_host:2345};
my $p0f_regexp = qr{^Windows\b};
sub new {
my $class = shift;
my $mailsaobject = shift;
$class = ref($class) || $class;
my $self = $class->SUPER::new($mailsaobject);
bless ($self, $class);
$self->register_eval_rule("p0f_lookup");
return $self;
}
sub p0f_lookup {
my ($self, $pms) = @_;
# we can only match this if we have at least 1 untrusted header
if ($pms->{num_relays_untrusted} > 0) {
#if ($pms->{num_relays_trusted} > 0) {
my $lastunt = $pms->{relays_untrusted}->[0];
#my $lastunt = $pms->{relays_trusted}->[-1];
my ($cl_ip) = $lastunt->{ip};
if (defined($p0f_service) && defined($p0f_regexp) &&
$cl_ip ne '' && $cl_ip ne '0.0.0.0' && $cl_ip ne '::') {
my $nonce = int(rand(1000000000)); # not too clever, but good
enough
my $os_fingerprint_obj = $self->_p0f_init($pms, $p0f_service,
0.050,
$cl_ip, $nonce);
if (defined($os_fingerprint_obj)) {
my $os_fingerprint = $self->_p0f_collect_response($pms,
$os_fingerprint_obj);
# >95% of mail from remote Windows hosts is spam coming from zombized
# machines, so it is worth to greylist
return 1 if $os_fingerprint ne '' &&
$os_fingerprint =~ /$p0f_regexp/;
}
return 0;
}
}
}
.....
...
Just copy and paste Mark's sub p0f_init, p0f_collect_response, and some minor
changes
.....
__END__
p0f.cf:
loadplugin P0f /etc/mail/spamassassin/P0f.pm
header WINDOWS_SMTP_CLIENT eval:p0f_lookup()
describe WINDOWS_SMTP_CLIENT The last untrust smtp client to connect to our MX
host is Windows
score WINDOWS_SMTP_CLIENT 0.1
> - the result will contain one line as returned by p0f. Plugin may
> insert this information into a header, or supply it as scoring rules.
>
> Mark
>
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share your
> opinions on IT & business topics through brief surveys - and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> _______________________________________________
> AMaViS-user mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/amavis-user
> AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
> AMaViS-HowTos:http://www.amavis.org/howto/
>
Vincent Li http://pingpongit.homelinux.com
Opensource .Implementation. .Consulting.
Platform .Fedora. .Debian. .Mac OS X.
Blog http://bl0g.blogdns.com
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
AMaViS-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/
