Design of spamd

Tue, 29 Nov 2011 12:56:05 -0800 

At the moment all spamd greylisting cares about is, "does it retry
connecting?" Unfortunately a lot of spammers do a spamrun and
simply try sending a spam message or 10 and then move on to the
next smtp server on their list and that get's them white listed in
a matter of seconds.

Not really a problem. I use postfix and with a few smart
configuration statements it can fend for itself pretty well. You
can make it check for various things like being on a rbl, not
having a reverse dns, not posting with a real helo etc etc. And
all result in an entry in the logfiles which contains NOQUEUE.

So I wrote the little script below which checks the spamdb output and
the postfix logfile output:

So far I am only bothered with one spam group. And they have been
sending spam with the same silly pattern for over five years now:

  g[a-z][0-9]{5}@mydomain.com

I don't make it up, it's that simple.

Anyway. Wouldn't it be nice if spamd would do the checks that
postfix does so the mailserver protecting code can be separated
from the real functionality?

So spamd would use the stuttering time to figure out if the ip is
not on an rbl, if the dnsname is reverse resolvable, if the helo
is valid, if the sender is not matching silly pattern, etc etc and
then decide what to do with the attempt, either blacklist or
whitelist the ip. Wouldn't it be nice if spamdb could feed it's
data to a rbldnsd so other mailservers in the domain could use the
same information?

I think it would result in a much faster and fairer decision
building if a message is spam or ham.



#!/bin/sh

SPAMDB=$(mktemp) || exit 1
spamdb > $SPAMDB

trapped()
{
    grep $1 $SPAMDB | grep -q TRAPPED
}

Trap()
{
    spamdb -t -a $1
}

match()
{
    if ! trapped $2; then
        echo "$(date) $2 is sending email to $1; lets trap him." >> 
/var/log/greytoblack
        Trap $2
    fi
}

set -- $(awk -F'|' '/^GREY/ {print $5"\t"$2}' $SPAMDB | sed -e 's|[<>]||g')
while [ $# -gt 0 ]; do
    case $1 in
        *[0-9]@mydomain.com)
            match $1 $2
            ;;
        [email protected])
            match $1 $2
            ;;
    esac
    shift 2
done


# Kick spammerts who got through back to the blacklist
for i in $(awk '/NOQUEUE/ {print $10}' /var/log/maillog|sed -e 
's|.*\[\(.*\)].*|\1|'|sort|uniq); do
    if grep -q "WHITE|$i|" $SPAMDB; then
        Trap $i
        echo "$(date) $i got through! Gotcha bastard!!" >> /var/log/greytoblack
    fi
done

rm $SPAMDB



# Han

Reply via email to