This may or may not be of use to people. I don't have access to the RBLs
due to firewall configuration. The firewall doesn't give any lookups in
the received line, so I have to extract the IPs and then count them up.
This script will spit out a set of rules for the "largest" offenders. Some
notes:
1. Change PATTERN to match your mailer's Received line. Also change the first
awk print line which produces the spamassassin regex.
2. Change SPAMDIR to the location of your spam folders (or rewrite to find
the separate files if they are not in the same directory)
3. Change OUTPUT to a temporary location for your etc/mail/spamassassin files.
4. Always run spamassassin --lint to test!
5. Change the ipnum[net] > 40 line to your liking. This line tells the script
to only generate rules for /16 nets that generate more than 40 spams. Also
change the scores to your liking. I rate each a 3.0 due to a lot of
potential false-positives, but you may like a higher or lower score.
6. You can rerun this script over time, it will keep appending to TMPFILE. If
you want to start from scratch, delete TMPFILE and run this script with
"build" as the only option.
7. I am not liable for any bugs or shortcomings.
8. You could alter this code to check for /8 or even /0 (host) entries. It's
easy with only a few minor changes.
#!/bin/sh
#
# Takes input of IPs; counts /16 network counts and generates spamassassin
# rules for the highest offenders.
#
SPAMDIR=/var/mail/spamdump.dir
PATTERN='^Received.*by.myfirewall.example.com;'
TMPFILE=/var/tmp/badhosts.txt
OUTPUT=/etc/mail/spamassassin/temp-badhosts.cf
if [ "$1" = "build" ] ; then
echo Appending to $TMPFILE
cd $SPAMDIR
/usr/bin/egrep $PATTERN * | /usr/bin/cut -f2 -d\[ | cut -f1 -d\] | \
/usr/bin/tr "." " " >> $TMPFILE
else
echo No build option, will use existing $TMPFILE
fi
echo Writing to $OUTPUT
cat $TMPFILE | /usr/bin/awk '
{
net = $1 "_" $2; ipnum[net]++
}
END {for ( net in ipnum)
if (ipnum[net] > 40) {
split (net,a,"_")
print "header SUSP_IP_RBL_" net " Received =~ /from..\(\[" a[1] "\."
a[2] "\.\d{1,3}\.\d{1,3}\]\).by.myfirewall.example.com;/"
print "describe SUSP_IP_RBL_" net " IP address is from spamful network"
print "score SUSP_IP_RBL_" net " 3.0"
}
}
' > $OUTPUT
-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive? Does it
help you create better code? SHARE THE LOVE, and help us help
YOU! Click Here: http://sourceforge.net/donate/
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
