You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by sa-russian <sa...@yandex.ru> on 2006/10/31 17:29:37 UTC
Simple script that rejects mail from spammers
Hi to all!
I made a simple script that scans sendmail log files, finds IP from which several spam messages were received, and blocks them in sendmail access file.
The backgroung is as follows: Once I found that our MX is nearly down. Running top exposed a lot of spamd instances, cosuming almost all CPU time. Examining maillog showed, that one of our subscribers sent about 4000 messages within approximately 15 minutes, and all them were spam. I manually banned that subscriber in /etc/mail/access and informed their personel about possible zombie infection.
Now I have script that runs from cron and instantly blocks hosts that have sent us more than some maximum number of spam messages within last hour (or any duration of your choice).
The script is availble from http://sa-russian.narod.ru/block_spammers.bash
Understanding of some fundamentals of BASH scripting is expected. The only MTA supported is sendmail. Look at the comments inside the script to tailor it to your installation.
Best regargs,
Alan M. Makoev
Re: Simple script that rejects mail from spammers
Posted by ds...@e2000.es.
> Evan Platt wrote:
>> At 09:36 AM 10/31/2006, you wrote:
>>
>>> Here's something similar:
>>>
>>> http://fut.patch.com/
>>
>> I'd be interested in something for postfix / ipfw... :)
>
>
> "Currently analyzes log files based on behavior of OpenSSH v4.2, Postfix
> v2.2.4, and ProFTPD v1.2 as
> packaged for Debian systems."
>
The same for Qmail:
http://inter7.com/?page=tcpblocker
>From Inter7 guys
Re: Simple script that rejects mail from spammers
Posted by Stuart Johnston <st...@ebby.com>.
Evan Platt wrote:
> At 09:36 AM 10/31/2006, you wrote:
>
>> Here's something similar:
>>
>> http://fut.patch.com/
>
> I'd be interested in something for postfix / ipfw... :)
"Currently analyzes log files based on behavior of OpenSSH v4.2, Postfix v2.2.4, and ProFTPD v1.2 as
packaged for Debian systems."
RE: Simple script that rejects mail from spammers
Posted by "Suhas (QualiSpace)" <su...@qualispace.com>.
Even I'd be interested in something for postfix and iptables.
Warm Regards,
Suhas
System Admin
QualiSpace - A QuantumPages Enterprise
===========================
Tel India: +91 (22) 6792 - 1480
Tel US: +1 (614) 827 - 1224
Fax India: +91 (22) 2530 - 3166
URL: http://www.qualispace.com
===========================
For Any Technical Query Please Use: http://helpdesk.qualispace.com
QualiSpace Community Discussion forum: http://forum.qualispace.com
-----Original Message-----
From: Evan Platt [mailto:evan@espphotography.com]
Sent: Tuesday, October 31, 2006 11:15 PM
To: users@spamassassin.apache.org
Subject: Re: Simple script that rejects mail from spammers
At 09:36 AM 10/31/2006, you wrote:
>Here's something similar:
>
>http://fut.patch.com/
I'd be interested in something for postfix / ipfw... :)
Re: Simple script that rejects mail from spammers
Posted by Evan Platt <ev...@espphotography.com>.
At 09:36 AM 10/31/2006, you wrote:
>Here's something similar:
>
>http://fut.patch.com/
I'd be interested in something for postfix / ipfw... :)
Re: Simple script that rejects mail from spammers
Posted by Stuart Johnston <st...@ebby.com>.
sa-russian wrote:
> Hi to all!
>
> I made a simple script that scans sendmail log files, finds IP from which several spam messages were received, and blocks them in sendmail access file.
>
> The backgroung is as follows: Once I found that our MX is nearly down. Running top exposed a lot of spamd instances, cosuming almost all CPU time. Examining maillog showed, that one of our subscribers sent about 4000 messages within approximately 15 minutes, and all them were spam. I manually banned that subscriber in /etc/mail/access and informed their personel about possible zombie infection.
> Now I have script that runs from cron and instantly blocks hosts that have sent us more than some maximum number of spam messages within last hour (or any duration of your choice).
>
> The script is availble from http://sa-russian.narod.ru/block_spammers.bash
>
> Understanding of some fundamentals of BASH scripting is expected. The only MTA supported is sendmail. Look at the comments inside the script to tailor it to your installation.
>
> Best regargs,
> Alan M. Makoev
Here's something similar:
http://fut.patch.com/
Re: Simple script that rejects mail from spammers
Posted by Chris Purves <ch...@northfolk.ca>.
sa-russian wrote:
> Hi to all!
>
> I made a simple script that scans sendmail log files, finds IP from which several spam messages were received, and blocks them in sendmail access file.
>
> The backgroung is as follows: Once I found that our MX is nearly down. Running top exposed a lot of spamd instances, cosuming almost all CPU time. Examining maillog showed, that one of our subscribers sent about 4000 messages within approximately 15 minutes, and all them were spam. I manually banned that subscriber in /etc/mail/access and informed their personel about possible zombie infection.
> Now I have script that runs from cron and instantly blocks hosts that have sent us more than some maximum number of spam messages within last hour (or any duration of your choice).
>
> The script is availble from http://sa-russian.narod.ru/block_spammers.bash
>
> Understanding of some fundamentals of BASH scripting is expected. The only MTA supported is sendmail. Look at the comments inside the script to tailor it to your installation.
>
> Best regargs,
> Alan M. Makoev
>
Have a look at fail2ban. I believe it can do the same thing (as well as
more):
http://fail2ban.sourceforge.net/wiki/index.php/Main_Page
--
Chris
Re: Simple script that rejects mail from spammers
Posted by The Doctor <do...@doctor.nl2k.ab.ca>.
On Tue, Oct 31, 2006 at 08:48:16AM -0800, John D. Hardin wrote:
> On Tue, 31 Oct 2006, sa-russian wrote:
>
> > Hi to all!
> >
> > I made a simple script that scans sendmail log files, finds IP
> > from which several spam messages were received, and blocks them in
> > sendmail access file.
>
> I just set up something similar to block at the firewall (Linux
> iptables, sendmail logfile). If they keep hitting SBL-XBL why let them
> try at all?
>
> I'll publish it if anyone's interested.
>
Please do.
> --
> John Hardin KA7OHZ ICQ#15735746 http://www.impsec.org/~jhardin/
> jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
> key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
> -----------------------------------------------------------------------
> ...the Fates notice those who buy chainsaws...
> -- www.darwinawards.com
> -----------------------------------------------------------------------
> Today: Halloween
>
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
--
Member - Liberal International
This is doctor@nl2k.ab.ca Ici doctor@nl2k.ab.ca
God Queen and country! Beware Anti-Christ rising!
Beware Linux the Microsoft of Unixes
Re: Simple script that rejects mail from spammers
Posted by "John D. Hardin" <jh...@impsec.org>.
On Tue, 31 Oct 2006, sa-russian wrote:
> Hi to all!
>
> I made a simple script that scans sendmail log files, finds IP
> from which several spam messages were received, and blocks them in
> sendmail access file.
I just set up something similar to block at the firewall (Linux
iptables, sendmail logfile). If they keep hitting SBL-XBL why let them
try at all?
I'll publish it if anyone's interested.
--
John Hardin KA7OHZ ICQ#15735746 http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
...the Fates notice those who buy chainsaws...
-- www.darwinawards.com
-----------------------------------------------------------------------
Today: Halloween
Re: Simple script that rejects mail from spammers
Posted by Frank Bures <li...@chem.toronto.edu>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Tue, 31 Oct 2006 19:29:37 +0300 (MSK), sa-russian wrote:
>Hi to all!
>
>I made a simple script that scans sendmail log files, finds IP from which
several spam messages were received, and blocks them in sendmail access file.
>
>The backgroung is as follows: Once I found that our MX is nearly down.
Running top exposed a lot of spamd instances, cosuming almost all CPU time.
Examining maillog showed, that one of our subscribers sent about 4000
messages within approximately 15 minutes, and all them were spam. I manually
banned that subscriber in /etc/mail/access and informed their personel about
possible zombie infection.
>Now I have script that runs from cron and instantly blocks hosts that have
sent us more than some maximum number of spam messages within last hour (or
any duration of your choice).
>
>The script is availble from http://sa-russian.narod.ru/block_spammers.bash
>
>Understanding of some fundamentals of BASH scripting is expected. The only
MTA supported is sendmail. Look at the comments inside the script to tailor
it to your installation.
>
>Best regargs,
>Alan M. Makoev
You just reinvented the wheel.
http://www.spamshield.org/
Frank Bures, Dept. of Chemistry, University of Toronto, M5S 3H6
fbures@chem.toronto.edu
http://www.chem.utoronto.ca
PGP public key: http://pgp.mit.edu:11371/pks/lookup?op=index&search=Frank+Bures
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0 OS/2 for non-commercial use
Comment: PGP 5.0 for OS/2
Charset: cp850
wj8DBQFFR4Nqih0Xdz1+w+wRAmyQAKC1oNWOAFiemeHDJVDftXkFXNflWACfV1TS
mnvkcX8QAAVrcm4wt0/Jx88=
=SRPS
-----END PGP SIGNATURE-----