Well, it's good in some cases. I have my script for ipfw, offend back the attackers, but sometimes it is an understanding...so, make your script better to choose who is really bad. Should be better.
---- Banyan He Mail&Web Security Mobile: +86 13641777622 MSN: [EMAIL PROTECTED] Skype: banyan.he Email: [EMAIL PROTECTED] AntiSpam Test: [EMAIL PROTECTED] AntiVirus Test: [EMAIL PROTECTED] Webmaster Mail: [EMAIL PROTECTED] Website: http://www.rootong.com -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of DJ Lucas Sent: Sunday, August 10, 2008 12:02 PM To: Postfix Users Subject: Auto blacklist for repeat offenders Hello all. I was wondering if an auto-blacklist, generated weekly, based on SA's result, and taken directly from the mail log, is a good idea or not. This is basically to catch the repeat offenders..ones who manage to get in the front door, but still get nailed by SA 15 or so times in a given week (10 due to lazy coding below). I mean, SA is still catching them, but IMO it shouldn't even have to deal with them if I can avoid it. ISTM that postfix checking a hash file at the door is far more efficient than SA being called a hundred times a week or so to score 20 points or better. KIM, this is a small home server with 8 users...I'm barely taking on 20,000 connections per month so it's not really a big issue, just me toying. If it proves useful, then it _could_ move further along. Here is a very rough (and VERY UNTESTED..basic logic is tested...some) example: ======================================= #!/bin/bash # Bening /etc/fcron.weekly/14-auto-blacklist # Simple script to add repeat offenders to the auto blacklist tempfile=`mktemp` tempfile2=`mktemp` tempfile3=`mktemp` # Get a list of senders that have been denided by SA grep "is spam" /var/log/mail.log | \ egrep -o "[^\"()[EMAIL PROTECTED]"()?*]*" > \ "${tempfile}" # Get a count of each recipient for sender in `cat "${tempfile}"` do echo -n "${sender} " >> "${tempfile2}" && grep -c "${sender}" "${tempfile}" >> "${tempfile2}" && sed -i "s/$sender//g" "${tempfile}" done # sed out any who have less than 10 offenses for the month # and duplicates who have 0 offenses because of sloppy logic above sed -i "/ [0-9]$/d" "${tempfile2}" # create a file to cat to the existing list" egrep -o "[^\"()[EMAIL PROTECTED]"()?*]*" "${tempfile2}" > "${tempfile3}" # apply the changes to the map for sender in `cat "${tempfile3}"` do echo -e "${sender}\tREJECT" >> /etc/postfix/blacklist done #### TODO: insert some cleanup of the current list here too... postmap /etc/postfix/blacklist /usr/sbin/postfix reload # End /etc/fcron.weekly/14-auto-blacklist ======================================== Good idea or bad? Thanks. -- DJ Lucas -- This message has been scanned for viruses and dangerous content, and is believed to be clean.
