Archive for 'July, 2003'

http://www.blogt.nl/images/juli2003/raareffect.jpg

… but it’s not.

Many thanks to those who emailed me about spamslam. The script has been slightly updated and slightly improved.

It’s a little tidier and should work well for almost all versions of perl on almost all versions of Linux.

This is not a cron job script. Take a look at the basic program flow. All it does is tail the maillog and count the instance of 554 messages.

You’ll also notice some hashed out IPTABLES lines in there… these are the beginnings of a basic teergrubing effort. Haven’t been able to get it to work yet, so if you are an IPTABLES wiz, let me know how to get it working!

I’m still looking for someone to help with expiring the entries… any takers?


#!/usr/bin/perl -w
use strict;
use File::Tail;
use POSIX qw(strftime);
my $IPTABLES = '/sbin/iptables';
die "ERROR: Can't find $IPTABLESn" unless (-f $IPTABLES);
# how many times the spam host can try before they are blocked
my $thresh = 2;
# check the maillog every x seconds
my $interval = 5;
# record lockouts
my $logfile = '/tmp/spamslam.txt';
# set a few default locations for the mail log
my @default_maillog = qw(
/var/log/maillog
/var/log/mail
);
# find the first existing mail log...
my $maillog = '';
logloop:
foreach my $tmplog (@default_maillog) {
if (-f $tmplog) {
$maillog = $tmplog;
last logloop;
}
}
# ... or audibly die.
die "ERROR: Can't find maillog in " . join (', ', @default_maillog) . "n"
unless ($maillog);
# Tail from the mail log
my $file = File::Tail->new(
name => $maillog,
maxinterval => $interval,
);
my $line;
my @slamlist = ();
while (defined($line = $file->read)) {
if ($line =~ m/554 Service unavailable/o
&& $line =~ m/(d{1,3}.d{1,3}.d{1,3}.d{1,3})/o) {
push @slamlist, $1;
foreach my $ip (@slamlist) {
# find multiple denials for the same address...
my $attempts = 0;
if ($ip =~ m/$1/) {
my @count = grep(/$ip/, @slamlist);
foreach my $xi (@count) {
$attempts++;
print "$ip: $attemptsn";
}
if ($attempts >= $thresh) {
# ... and lock them out with iptables
# iptables -I INPUT inserts the rules at the top of
# the INPUT ruleset
system("$IPTABLES -I INPUT -p TCP --dport 25 -s $ip -j DROP");
# system("$IPTABLES -I OUTPUT -d $ip -p ICMP -j DROP");
# system("$IPTABLES -I INPUT -s $ip -p TCP --dport 25 -j ACCEPT");
# system("$IPTABLES -I OUTPUT -d $ip -p TCP --syn ! --sport 25 -j REJECT");
my $now = strftime("%Y-%m-%d %H:%M:%S", localtime(time));
print "$now - $ip firewalled.n";
my $ok = open(OUTPUT, ">> $logfile");
if ($ok) {
print OUTPUT "$now - $ip firewalled.n";
close OUTPUT;
} else {
print "WARNING: Can't write to $logfile - $!";
}
@slamlist = grep(!/$ip/, @slamlist);
}
}
}
}
}
exit(0);
__END__
# Add pod here
=pod
=head1 NAME
spammer_iplockout.pl - Adjust firewall to lock out persistent spammers
=head1 SYNOPSIS
spammer_iplockout.pl
=head1 VERSION
$Revision: 1.0 $
=head1 DESCRIPTION
Monitor /var/log/maillog for persistent 554 errors and feed results to
iptables to firewall out persistent offenders.
=head1 USAGE
Usage: spammer_iplockout.pl
=head1 DEPENDENCIES
File::Tail
=head1 BUGS
None known.
=head1 TO DO
Fix bugs
=head1 AUTHOR
Jason Jordan [email protected]>
=head1 SEE ALSO
perl(1).
=cut


Once again, you may stead.

Trish is hanging out to start investing and renovating. We’ve got quite a bit of equity stored up in our home, so the cash flow from the job should mean we can rapidly expand our portfolio.

I’ve also resolved to start going back to the gym and once again improve my diet. I reckon I’ve put about 4kgs back on by letting my diet slip back into those old bad habits of refined flour and sugar.

GotMyVote.com is now up to 350 votes. It was featured in some local Community papers as well as The West this weekend. I’ve also been approached to do a radio interview about it on Wednesday.

And finally, not that I’m a Big Brother Fan, but GO DAN! From what I’ve seen he’s a very talented young man who should go far.

Spammers really annoy me.

It’s become a bit of a hobby for me. I recently installed amavisd-new which has been quite excellent. My major concern is that spammers are still connecting to my mail server and wasting my resources – even if they do get rejected or bounced.

Even worse – they’re ignoring the 5xx rejection messages generated by Postifx and it’s RBL list. I’ve had spammers over the last few weeks connecting once a minute even though they recieve a permanent error!

So, I put my Hat of Thought on and came up with a better solution.

Why not monitor the Linux maillog for the “554 Service Unavailable” messages and firewall hosts that keep on trying?

I’m not much of a coder, but I’ve hacked together a little perl script that does just that. What I’d REALLY like now, is for someone with more coding capability than me to polish it up a bit, maybe remove the system call, add a logging mechanism and make the entries such that they expire after a definable period.

Please let me know if you use the script as I’d love to talk to other spam warriors.


#!/usr/bin/perl
$thresh = 2; # how many times the spam host can try before they are blocked
$interval = 1; # check the maillog every x seconds
$logfile = "/tmp/spamslam.txt";
use File::Tail;
$file = File::Tail->new( name => '/var/log/maillog', maxinterval => $interval );
while ( defined( $line = $file->read ) ) {
if (
$line =~ m/554 Service unavailable/
&&
$line =~ m/(d{1,3}.d{1,3}.d{1,3}.d{1,3})/
)
{
push @slamlist, $1;
foreach $ip (@slamlist) {
if ( $ip =~ m/$1/ ) {
@count = grep( /$ip/, @slamlist );
foreach $xi (@count) { $attempts++; print "$ip: $attemptsn"; }
if ( $attempts == $thresh ) {
# iptables -I INPUT inserts the rules at the top of the INPUT ruleset
system("/sbin/iptables -I INPUT -s $ip -j DROP");
my ($sec, $min, $hour, $mday, $mon, $year) = localtime(time);
printf "%4d-%02d-%02d %02d:%02d:%02d",$year+1900,$mon+1,$mday,$hour,$min,$sec;
print " - $ip firewalled.n";
open OUTPUT, ">> $logfile" or die "Unable to open $logfile:$!n";
printf OUTPUT "%4d-%02d-%02d%02d:%02d:%02d",$year+1900,$mon+1,$mday,$hour,$min,$sec;
print OUTPUT " - $ip firewalled.n";
close OUTPUT;
@slamlist = grep( !/$ip/, @slamlist );
}
}
@count = ();
$attempts = 0;
}
}
}


Good Luck!
Download file

I’ve got my own private war going on with spammers.

I use Postfix on Linux with multiple Realtime Black Lists (RBLs) to reject spammers as soon as they connect. That way they use minimal system resources and I don’t have to have their rubbish getting onto my system.

Six months ago, some spam started slipping through.

I implemented TMDA. Tagged Mail Delivery Agent. It’s a great system but can cause pain to all email senders not just spammers. It works by challenging first time email senders to my system. Once they respond correctly, they get whitelisted and don’t ever see a challenge again.

Of course this means spam can make it on to my mailhost and I still have to filter it.

That’s the same issue I have with Spamassassin. I installed it about 3 months ago and it identifies spam very, very well. But the spam still makes it onto my system.

I wanted a way to reject it BEFORE it makes it onto my box. Just like the RBL’s do.

Yesterday I found it!

Amavisd-new integrates nicely with most MTA’s. The Postfix install was extremely simple. It passes off inbound emails to Spamassassin and F-Prot (anti-virus) and has the ability to reject before accept if the email is identified as spam or virus.

I think it’s fantastic. In the last 24 hours, only one spam made it through – and that was completely in Spanish.

For a free product that can be installed on a Pentium 133/64mb PC, we’re talking about something that provides a service of inestimable value for pennies.

Ah Perl… is there anything it can’t do?