Thanks. I did a slight change in Received.pm to log only untrusted
relays, all on one line for each mail (through enabling own debug channel).
Now I'm gonna to write an analyzer, which will walk through spamd log
daily and collect these records (only for spam with defined overscore)
and add some host information (whois).
I know it's a bad idea to feed my blacklist directly, so I will check
and edit the output by hand and after that add it to rbl. This won't be
too much work as most spam is coming to me from only few ips (or ip
ranges) at this time.
Thinline Maillist wrote:
Hi,
I'd like to log IPs from "Received" headers to spamd's log file for
statistics and further analysis (but only from messages marked as
spam).
I tried to modify the code of spamd program, but unsuccessfully,
since I chose to add it to parse_headers() subroutine, where only
protocol specific headers are parsed (as it seems to me).
parse_received_headers() (in Received.pm) is the function that parses
the Received headers. it puts the relays in one of the X-Foo-Relays
meta heatders (trusted, Untrusted, Internal, External).
but if you do what you intend to do, be cautious:
- SA is about heuristics: it doesn't say that a message is spam or
not. it gives you a score. this may be right. this may be wrong.
- if your trust path is misconfigured, the results may be arbitrary
- you can get spam from "good" relays (mailing lists, subscribed to
newsletters, ... etc).
it is safer to use the results as a "reputation measure" instead of
directly feeding a blacklist.
This is probably not a right piece of source where to place this
feature.
I'm not a Perl programmer nor SA expert, so has anyone with more
experience some idea, how to log spammers remote IPs? Thanks.
if you don't want to code anything, just configure SA to add its meta
headers (you only need the untrusted relays header) then when you
deliver the message, use an MDA that can log this header (maildrop,
procmail, or even a silly shell script with a 'grep -m 1
"^X-Untrusted-Relays:"' call).
