Auto blacklist for repeat offenders

Sat, 09 Aug 2008 21:06:06 -0700 

Hello all.
I was wondering if an auto-blacklist, generated weekly, based on SA's result, and taken directly from the mail log, is a good idea or not. This is basically to catch the repeat offenders..ones who manage to get in the front door, but still get nailed by SA 15 or so times in a given week (10 due to lazy coding below). I mean, SA is still catching them, but IMO it shouldn't even have to deal with them if I can avoid it. ISTM that postfix checking a hash file at the door is far more efficient than SA being called a hundred times a week or so to score 20 points or better. KIM, this is a small home server with 8 users...I'm barely taking on 20,000 connections per month so it's not really a big issue, just me toying. If it proves useful, then it _could_ move further along. 


Here is a very rough (and VERY UNTESTED..basic logic is tested...some) 
example:

=======================================
#!/bin/bash
# Bening /etc/fcron.weekly/14-auto-blacklist
# Simple script to add repeat offenders to the auto blacklist

tempfile=`mktemp`
tempfile2=`mktemp`
tempfile3=`mktemp`

# Get a list of senders that have been denided by SA
grep "is spam" /var/log/mail.log | \
   egrep -o "[^\"()[EMAIL PROTECTED]"()?*]*" > \
   "${tempfile}"

# Get a count of each recipient
for sender in `cat "${tempfile}"`
do
   echo -n "${sender}          " >> "${tempfile2}" &&
   grep -c "${sender}" "${tempfile}" >> "${tempfile2}" &&
   sed -i "s/$sender//g" "${tempfile}"
done

# sed out any who have less than 10 offenses for the month
# and duplicates who have 0 offenses because of sloppy logic above
sed -i "/ [0-9]$/d" "${tempfile2}"

# create a file to cat to the existing list"
egrep -o "[^\"()[EMAIL PROTECTED]"()?*]*" "${tempfile2}" > "${tempfile3}"

# apply the changes to the map
for sender in `cat "${tempfile3}"`
do
   echo -e "${sender}\tREJECT" >> /etc/postfix/blacklist
done
#### TODO: insert some cleanup of the current list here too...
postmap /etc/postfix/blacklist
/usr/sbin/postfix reload

# End /etc/fcron.weekly/14-auto-blacklist
========================================

Good idea or bad?

Thanks.

-- DJ Lucas




--
This message has been scanned for viruses and
dangerous content, and is believed to be clean.























					Reply via email to