On Mon, 2012-11-19 at 19:16 -0500, Sam Varshavchik wrote:
> cour...@devloop.de writes:
> 
> > Hi,
> > I guess I have some understanding problems of the -block option. I want to  
> > use
> > a standard DNSBL to drop spam. But I also want to count the hits by the  
> > DNSBL.
> > My idea was to use maildroprc to run an external program and then block the
> > mail.
> 
> Why all that work?
> 
> Just block the email, and run a script that greps your /var/log/maillog, and  
> adds everything up. The error messages should be trivial to identify, by  
> DNSBL.

I was going to say that, Sam, but this answer is so simple I thought I
must be missing something :P

What I do here is as follows:

in esmtpd, I have:

        BLACKLISTS="-block=cbl.abuseat.org,BLOCK2 -block=dnsbl.njabl.org,BLOCK3 
-block etc.."

The .mailfilters/rcptfilter file for every virtual mail account contains
an include for a per-domain file, domainspampolicy, which in turn
contains an include for /etc/courier/globalspampolicy.  globalspampolicy
contains a series of stanzas such as:

        import BLOCK2
        if ( "$BLOCK2" ne "" )
        {
                echo "$BLOCK2 (BL-2)"
                EXITCODE=1
                exit
        }
        
        import BLOCK3
        if ( "$BLOCK3" ne "" )
        {
                echo "$BLOCK3 (BL-3)"
                EXITCODE=1
                exit
        }
        
        etc...

So every log entry for blocked emails has a (BL-?) tag in it identifying
the BL in which the originating address was found.  This helps identify
the advisory blacklist for each entry in the final report.

Every day, for every user who wants a report on blocked email, root runs
a cron job as follows:

        zcat /var/log/mail.log.1.gz | cat - /var/log/mail.log | grep 
'error,relay'|grep ' 511 '|grep domain.org | /usr/local/sbin/prettylog.pl | 
mailx -s"Blocked Email Summary from FMP" ad...@domain.org

"domain.org" and "ad...@domian.org" are creative redactions from a real
example :)

prettylog.pl is a perl script, as follows:

        #!/usr/bin/perl
        ($sec, $min, $hour, $mday, $mon, $year, $wday, $yday, $isdst) = 
localtime(time - (60 * 60 * 24));
        $month = (Jan,Feb,Mar,Apr,May,Jun,Jul,Aug,Sep,Oct,Nov,Dec)[$mon];
        $day = sprintf("%s %2.2s", $month, $mday);
        $day = $ARGV[0] if $ARGV[0];
        $year += 1900;
        $format = "%-16s %-5s %-16s %-57.55s %-30s %s\n";
        print <<EOF;
        The following emails were refused blah, blah, (something 
semi-intelligent about
        the following report).
         
        BLOCKED EMAIL SUMMARY - $day, $year
        
        EOF
        
        printf($format, "DATE", "LIST", "SERVER IP", "FROM", "TO", "REASON");
        printf($format, "----", "----", "---------", "----", "--", "------");
        $count = 0;
        while (<STDIN>) {
                next if (!($_ =~ /$day/));
                $_ =~ /(... .. ..:..:..) .*? courieresmtpd: 
error,relay=(.*?),.*?from=<(.*?)>.*?,to=<(.*?)>: 511 (.*?)(?: 
\(BL-(.)\)){0,1}$/;
                $mdate = $1;
                $ip = $2;
                $from = $3;
                $to = $4;
                $reason = $5;
                $bl = $6;
                printf($format, $mdate, $bl, $ip, $from, $to, $reason);
                $count++;
        }
        printf("\nA total of %s probable spam emails were blocked during the 
last 24 hours.\n", $count);

So each user who wants one gets a report of their blocked emails,
identifying which BL service tagged it followed by a total of blocked
emails.

You can morph the script to do pretty much anything you want to, such as
listing and summarizing only DNSBL hits, or just sending the system
admin a DNSBL hit count.

Ain't Unix wonderful? ;)

-- 
Lindsay Haisley       | "We have met the enemy and he is us."
FMP Computer Services |
512-259-1190          |          -- Pogo
http://www.fmp.com    |


------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov
_______________________________________________
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Reply via email to