Just a thought -- it might be easier to automatically expire the entries if you created one entry per IP using spamdyke's configuration directory feature. Then you could use the timestamps on the files to measure their age and automatically delete them when they get too old. The hardest part of the whole process is parsing the maildir to get the IP addresses and it sounds like you've already got that figured out. :)
-- Sam Clippinger On Mar 26, 2013, at 11:20 AM, Gary Gendel wrote: > Denny, > > Sure, But I'll probably embarrass myself. I wrote it a long time ago, > pre-spamdyke, when I had a homebrew spam solution. It consists of a few > small programs written in c and some scripts. From what I remember... > > A cron job runs a script called blacklist.csh that calls a program called > extractSpam for each new mail from the honeypot's inbox. The script expects > maildir format, but it can take an mbox file instead. It then calls a > program called mergeSpam to merge this info into the blacklist file as well > expire any old records. This is the blacklist file that spamdyke uses. > > extractSpam takes -x options to specify special ip addresses you want it to > ignore such as your own address in the event of a bounced email to the > honeypot. See blacklist.csh for examples. The only argument is the file you > want to append the ip addresses to. Note that mergeSpam has this file > hard-coded in so it better match that. I used this feature to test the > program on various emails without disturbing the production setup. > > mergeSpam takes two arguments, the first is the expiration time and the > second is a comment to put at the head of the file. > > I use jam instead of make but it should be easy to figure out what needs to > be done from the included Jamfile. > > Feel free to use it, modify it, or throw it away as needed. :) > > Gary > > On 03/26/2013 11:05 AM, Denny Jones wrote: >> Interesting concept. Care to share your script? >> >> >> >> >> >> -----Original Message----- >> From: Gary Gendel <[email protected]> >> To: spamdyke users <[email protected]> >> Sent: Tue, Mar 26, 2013 9:41 am >> Subject: Re: [spamdyke-users] Timer for objects in blacklist >> >> I do something similar for my ip blacklist. I have a honeypot that, if it >> receives email. it adds the sender's ip to the blacklist with a timestamp in >> a preceding comment. If I get another email from that server, it just >> updates the comment so the expiration gets extended. I run a nightly cron >> job to clear away ip addresses that have been inactive for >= 30 days. So >> the entries in the file look like this: >> >> # 2013-03-18 >> 72.30.239.144 >> >> Gary >> >> On 03/26/2013 10:28 AM, David wrote: >>> Is there a way we could get a configuration for a timer to be set on >>> blacklist items in any blacklist? >>> For instance when I configure firewall rules and use address lists I always >>> use a timer on these list >>> to be removed from the list after a certain amount of time but the rule is >>> always there so if the address >>> gets caught by the rule gets re added to the list again. >>> >>> I was thinking if there was an easier way to manage these list better and >>> the timer came up. >>> >>> If I was able to place a timer on the items in the list say for 30days or >>> less to be emptied out would be great. >>> Something else to consider is dumping them into another list to be watched >>> and if they show up again then re-add >>> them back to the current list and drop the others in the old list after a >>> few days. >>> >>> this may help with my pain of these list growing out of control. >>> >>> >>> Thanks >>> Dave >>> >>> >>> >>> >>> >>> _______________________________________________ >>> spamdyke-users mailing list >>> [email protected] >>> http://www.spamdyke.org/mailman/listinfo/spamdyke-users >> >> _______________________________________________ >> spamdyke-users mailing list >> [email protected] >> http://www.spamdyke.org/mailman/listinfo/spamdyke-users >> >> >> _______________________________________________ >> spamdyke-users mailing list >> [email protected] >> http://www.spamdyke.org/mailman/listinfo/spamdyke-users > > <blacklist.tar.gz>_______________________________________________ > spamdyke-users mailing list > [email protected] > http://www.spamdyke.org/mailman/listinfo/spamdyke-users
_______________________________________________ spamdyke-users mailing list [email protected] http://www.spamdyke.org/mailman/listinfo/spamdyke-users
