Hi, Use Postfix? Use spamd? Have a small mail log? Ever wonder which hosts are sending the most spam into your system? Wonder no longer - spamsources.sh is here to answer all your questions about who is spamming you. Maybe.
http://www.cynistar.net/~apthorpe/code/sa-contrib/spamsources.sh This 'simple' shell script makes four passes through your mail log: - gathering the PID of every spamd process that identified a message as spam - finding the message-id of each identified spam - finding the Postfix ID from each message-id - finding the connecting host and IP address for each Postfix ID then sorts the list of hosts and arranges them in order of spamminess. Sample output: 273 shared-austin.bos.hosting.com[64.55.166.99] 32 lists.sourceforge.net[66.35.250.206] 9 daedalus.apache.org[208.185.179.12] 6 cherry.ease.lsoft.com[209.119.0.109] 5 sloth.good-day.net[220.218.54.194] 3 lina.cynistar.net[66.143.181.11] 3 dsl.80.119.networkiowa.com[209.234.80.119] 2 xuxa.iecc.com[208.31.42.42] 1 rrcs-central-24-92-133-152.biz.rr.com[24.92.133.152] 1 pop1-357.catv.wtnet.de[213.209.65.102] 1 pc-200-74-21-128.pvaldivia2.pc.metropolis-inter.com[200.74.21.128] 1 mta08bw.bigpond.com[144.135.24.137] 1 mta07bw.bigpond.com[144.135.24.134] 1 maiden.genestate.com[212.21.116.19] 1 gnu-designs.com[65.172.152.98] 1 fl-atlnfl-u3-c4b-228.atlsfl.adelphia.net[67.22.99.228] 1 dyn-81-167-219-125.ppp.tiscali.fr[81.167.219.125] 1 bellevue.puremagic.com[209.189.198.108] 1 adsl-dc-20d8b.adsl.wanadoo.nl[81.70.43.139] 1 adsl-69-104-60-150.dsl.pltn13.pacbell.net[69.104.60.150] 1 D40A2138.rev.stofanet.dk[212.10.33.56] 1 73.254.39-62.rev.gaoland.net[62.39.254.73] (note: there are FPs in here[1]) Consider this to be proof-of-concept code. It's specific to Postfix but can be easily modified to work with other MTAs. It makes four passes through the log file; this could be reduced by writing it in perl, naively storing all the message-ids and MTA IDs and stitching them all together at the end. This eats more memory both by using perl and by naive parsing but avoids race conditions if the logs rotate while the script is running. A more robust variant could conceivably watch for spam/ham ratios, watch for anomalies (sudden statistically-significant increases in spam/ham ratios), and temporarily add firewall blocks or MTA rules (like dynamically updating an MTA access.db) Have fun! -- Bob [1] shared-austin.bos.hosting.com[64.55.166.99] forwards most of the mail directed to my ancient soon-to-be-retired address <[EMAIL PROTECTED]>, lina.cynistar.net is my backup MX, good-day.net runs the Sylpheed list, lsoft.com hosts SPAM-L, iecc.com hosts the spamtools list, puremagic.com hosts the greylisting list, gnu-designs.com hosts the Jpilot lists and loses DNS periodically - aside from Apache and Sourceforge, the rest is mostly consumer dialup and broadband space hence my irritating rants about ISPs needing to redirect their dynamic customers' outbound port 25 traffic to internal servers by default. This doesn't show the number of connections blocked for having no/broken rDNS or broken HELO, or being listed on xbl.spamhaus.org, sbl.spamhaus.org, dnsbl.njabl.org, dnsbl.sorbs.net, rhsbl.sorbs.net, opm.blitzed.org, relays.ordb.org, bogusmx.rfc-ignorant.org, or list.dsbl.org. The biggest source of crap entering (or trying to enter) my mail system is dynamically-allocated consumer space. YMMV but I doubt it. ------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
