Hello all,
I have made a bash script for scanning outgoing mail from all
the Squirrelmail users on my server using procmail. It is based
upon a script I got from Andrzej Adam Filip from the the
spamassassin mailing list.
It is possible to modify it to take care of all mails sendt by
the sendmail binary, and some of you might know how to intercept
messages sent from a mail client program as well.
I am currently sending all the squirrelmail outgoing mails to a
specially designed procmail filter, which will run a new script
for actually sending the mail, or block the mail/punish the
user who sent the spam.
The filter to point to with either ./config/config.php (in the
squirrelmail folder) or point to by /usr/sbin/sendmail, followed
by my outgoing procmail filter, which with spamassassin and YAVR
from <http://agriroot.aua.gr/~nikant/nkvir/>.
The block sender script is virtually identical to the
acceptedmailtodeliver.sh script, except that extracts the
username and ip of the person who sent the mail, lock the user
account with passwd -l $spammingaccount, and put the ip in a
quarantine file which will block the ip if a second spam is
tried sent within *short* time from the same ip.
The script must be viewed as a beta, and I would like some
feedback from others who are interested in such a script, have
improvements to the code, or know of better ways to accomplish
what am trying to do.
My own longer term idea is to make it a more general filter
for being able to automatically enforce outgoing mail policies.
Best regards,
Kenneth Andresen
#!/bin/sh
# /usr/local/bin/outgoingspamtester.sh # use chown and chmod with --reference=/usr/sbin/sendmail
# Outgoing mailfilter by Kenneth Andresen
# Version 0.0.3 22-feb-2005
TMPDIR=/var/spool/testquarantine # temporary directory - must be created and given right permissions
TMPFILE="spamtester.`/bin/date +%s`.$$" # temporary working file name - unix time and process ID
TMPPATH="$TMPDIR/$TMPFILE" # temporary working file full path
SENDMAIL=/etc/alternatives/mta # "true" sendmail path
TESTACCOUNT='[EMAIL PROTECTED]' # create a valid recipient for testing account
AGENT="User-Agent: SquirrelMail" # the agent line in Squirrelmail
MESSAGEID="Message-ID" # other programs might write "Message-Id"
TO_TAG="To:"
CC_TAG="Cc:"
BCC_TAG="Bcc:"
SEDP=p # sed Print option
SEDD=d # sed Delete option
#mailaddress
MAILADDR="$@"
# remove temporary file in case of problems
trap "rm -f $TMPPATH" 0 1 2 3 15 # deletes tempfile if program is interrupted
# copy input to temporary file
cat - > $TMPPATH
SQUIRRELMAIL="`grep -n -m1 -h ^$AGENT $TMPPATH`"
if [ -n "$SQUIRRELMAIL" ] ; then
FILE_ID="`grep -m1 -h $MESSAGEID $TMPPATH | cut -d '<' -f2 | cut -d '@' -f1`"
if [ -n "$FILE_ID" ] ; then
cat $TMPPATH > $TMPDIR/$FILE_ID
HEADERSTOPLINE="`grep -n -m1 -h ^$ $TMPDIR/$FILE_ID | cut -d: -f1`"
sed -n 1,$HEADERSTOPLINE$SEDP $TMPDIR/$FILE_ID > $TMPDIR/$FILE_ID.header
$HEADERSTOPLINE++
sed 1,$HEADERSTOPLINE$SEDD $TMPDIR/$FILE_ID > $TMPDIR/$FILE_ID.content
TEMPFILESWRITTEN=1
# This main function has declared the following variables:
# $HEADERSTOPLINE <- set to the line number where the message starts
# $TEMPFILESWRITTEN <- set to 1 to continue execution PHASE TWO
# $TMPDIR/$FILE_ID.header <- file containing current header
# $TMPDIR/$FILE_ID.content <- file containing current message body
fi
else
#everything else sent from the server should go un-filtered
$SENDMAIL $MAILADDR < $TMPPATH
EXITCODE=$?
rm $TMPPATH
exit $EXITCODE
fi
if [ -n "$TEMPFILESWRITTEN" ] ; then
# PHASE TWO - we now have an e-mail split into header and content parts, and can will now remove
# all recepients from the header.
#the header has now been seperated to its own file to ensure fast processing even of 2MB mails
TOLINE_NUM="`grep -n -m1 -h ^$TO_TAG $TMPDIR/$FILE_ID.header | cut -d: -f1`"
NEXTLINE="`echo "$TOLINE_NUM + 1" | bc`"
FIRSTLINE=$NEXTLINE
while [ "`sed -n $NEXTLINE$SEDP $TMPDIR/$FILE_ID.header`" != "`sed -n $NEXTLINE$SEDP $TMPDIR/$FILE_ID.header | grep -v ^' ' | grep -v ^$CC_TAG | grep -v ^$BCC_TAG`" ]; do
NEXTLINE="`echo "$NEXTLINE + 1" | bc`"
done
TOLINE="`sed -n $TOLINE_NUM$SEDP $TMPDIR/$FILE_ID.header`"
#format new e-mail
sed "s/$TOLINE/$TO_TAG\ $TESTACCOUNT/" $TMPDIR/$FILE_ID.header > $TMPDIR/$FILE_ID.header2
sed $FIRSTLINE,$NEXTLINE$SEDD $TMPDIR/$FILE_ID.header2 > $TMPDIR/$FILE_ID.header
cat $TMPDIR/$FILE_ID.header $TMPDIR/$FILE_ID.content > $TMPDIR/$FILE_ID.spamtester
SUCCESS="`$SENDMAIL $MAILADDR < $TMPDIR/$FILE_ID.spamtester`"
echo "$MAILADDR" > $TMPDIR/$FILE_ID.mailaddr
rm -f $TMPDIR/$FILE_ID.header $TMPDIR/$FILE_ID.header2 $TMPDIR/$FILE_ID.content $TMPDIR/$FILE_ID.spamtester
fi
#!/bin/bash
# /usr/local/bin/acceptedmailtodeliver.sh
# accepted mail to deliver by Kenneth Andresen
# Version 0.0.1 21-feb-2005
TMPDIR=/var/spool/spamtestquarantine # temporary directory
TMPFILE="spamtester.`/bin/date +%s`.$$" # temporary working file name - unix time and process ID
TMPPATH="$TMPDIR/$TMPFILE" # temporary working file full path
SENDMAIL=/etc/alternatives/mta # "true" sendmail path
MESSAGEID="Message-ID"
SENDEREXT=".mailaddr"
trap "rm -f $TMPPATH" 0 1 2 3 15
cat - > $TMPPATH
FILE_ID="`grep -m1 -h $MESSAGEID $TMPDIR/$TMPFILE | cut -d '<' -f2 | cut -d '@' -f1`"
if [ -n "$FILE_ID" ] ; then
if [ -f "$TMPDIR/$FILE_ID$SENDEREXT" ] ; then
MAILCOMMAND="`cat $TMPDIR/$FILE_ID$SENDEREXT`"
$SENDMAIL $MAILCOMMAND < $TMPDIR/$FILE_ID
rm -f $TMPDIR/$FILE_ID$SENDEREXT $TMPDIR/$FILE_ID $TMPPATH
fi
fi
# Outgoing procmail spam filter
# /etc/procmailfilters/outgoingspamtester.rc
#### Put the following lines on top of /etc/procmailrc and uncomment
# :0
# * [EMAIL PROTECTED]
# {
# INCLUDERC=/etc/procmailfilters/outgoingspamtester.rc
# }
#### Top of /etc/procmailrc file ends
# nkvir is a great virus and spamfilter believed to be helpfull for getting rid
of our
# outgoing spam problems. All the spam which was reacted to was in fact Nigeria
Scam
# spam, and nkvir have built in cool functions against it.
# get the filter from <http://agriroot.aua.gr/~nikant/nkvir/>
# and place it in "/etc/procmailfilters/nkvir-rc" set OUTGOINGNKVIR from OFF to
ON.
:0
* $ ${OUTGOINGNKVIR:+!}
{ OUTGOINGNKVIR=OFF }
:0
* $ ${OUTGOINGSPAMASSASSIN:+!}
{ OUTGOINGSPAMASSASSIN=ON }
:0
* OUTGOINGNKVIR ?? ON
{
######### filtering
###############################################################
## nkvir filter settings
# Nigera scam filter on
NIGSCAM=ON
# Porn spam filter
PORNSPAM=ON
# no point in testing ips of localhost...
SPAMHAUSYAVR=OFF
#####################################################################################
######### quarantine
##############################################################
# ALL quarantines need to be off for filter to work...
#Microsoft EXEcutable quarantine :
YAVRQUARANTEXE=OFF
#Nigeria scam quarantine
YAVRQUARANTNIG=OFF
#Porn Quarantine
YAVRQUARANTPRN=OFF
#####################################################################################
######### warnings
################################################################
#Nigeria scam warnings
YAVRWARNNIG=ON
#Porn related warnings
YAVRWARNPRN=ON
#Spamhaus warnings (not really needed)
YAVRWARNSPH=ON
#Macro warnings
YAVRWARNMAC=ON
#Executable file warnings
YAVRWARNEXE=ON
#####################################################################################
######### mail folders
############################################################
VIRDIR=$MAILDIR/virus
NIGDIR=$VIRDIR/nigeria-scam
PORNDIR=$VIRDIR/porn-spam
#####################################################################################
#####################################################################################
# The above should ensure that nkvir is not discarding mail on the way
# We can now include nkvir
INCLUDERC= /etc/procmailfilters/nkvir-rc
}
:0
* ^Subject: WARNING-NSCAM-SCORE
{ SPAMFOUND=YES }
:0
* OUTGOINGSPAMASSASSIN ?? ON
{
:0fw: spamc.out.lock
| spamc
}
:0
* ^Subject:\ \*\*\*\*\*SPAM*
{ SPAMFOUND=YES }
:0
* SPAMFOUND ?? YES
{
|/usr/local/bin/blocksender
}
:0
* SPAMFOUND ?? YES
spamtester_spamfound
## if not cought by this point, send e-mail out
:0
* $ ${SPAMFOUND+!}
|/usr/local/bin/acceptedmailtodeliver.sh
########################################
