[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

getting IPs for spamd-setup with User unknown in maillog and relaydb

To: misc@openbsd.org
Subject: getting IPs for spamd-setup with User unknown in maillog and relaydb
From: Paul Pruett <ppruett@webengr.com>
Date: Mon, 1 Sep 2003 18:48:30 +0000 (GMT)
Organization: Cocoa Village Publishing - www.cocoavillage.us

here is a way you could get more blacklists for spamd

 You could setup an user or account that
is only for spam collection, adduser spammeduser,
have that account use procmail to run the port package relaydb
to capture a blacklist.
 Now the fun part, redirecting tons of spam probing....
 Then get a list of false email addresses 
that spammers may try to send to and forward
to that spam trap user.   HOWEVER be careful
that if you have good RELAYS, they 
could get blacklisted and have to be unlisted later.
I included a possible script to do this below.
  IN this example one sendmail server is primary 
and other sendmail servers that are configured to 
RELAY to it and are in the domain MX records. 
You can use virtusertable sendmail feature to redirect
all the false emails to the spamtrapuser, and
use sendmail access freature to have false email
discarded on good relays. (could reject, but by
discarding spammers think its a good address
and primary will get spammed sooner than later...)
  Setup the spameduser to use procmail to
use relaydb to grap IP addresses of incoming mail
  Edit sendmail virtusertable for primary,
and edit sendmail access for relays...
  Update spamd.conf to use spammeduser's relaydb file
and spamd-setup and then 
      netstat -n | grep "127.0.0.1.8025 | wc -l
and watch the numbers grow......:)

of note:
The gottcha is that if you are not careful, the relayed
email from secondary MX server will get their
IP addresses black listed also, then if not
whitelisted, your secondary MX go to spamd - not good...
may want spamd.conf to have whitelist your IP addresses
for servers and good relays!


----------- here is script to parse maillog 
----------- that can be better, edit appropriately :)----

#!/bin/sh
###########################################
## quick script to get email addresses that
## spammers may be dictionary spamming with
## and create text files for inclusion into
## sendmail access table for seconary mx
## and virtusertable for primary mx
###########################################
DIR=/var/www/spamd-setup        # change appropriately
SPAMTRAPUSER=spammeduser        # change appropriately
DOMAIN1=mydomain1.com             # change appropriately
DOMAIN2=myotherdomain2.com         # change appropriately
DOMAIN3=myotherotherdomain3.com    # change appropriately
awk '/User unknown/' /var/log/maillog | \
cut -sf 2 -d '<' | cut -sf 1 -d'>' > $DIR/userunknownnames
grep -v $DOMAIN1 $DIR/userunknownnames > $DIR/userunknownnames.filter
grep -v $DOMAIN2 $DIR/userunknownnames >> $DIR/userunknownnames.filter
grep -v $DOMAIN3 $DIR/userunknownnames >> $DIR/userunknownnames.filter
sort -u -o $DIR/userunknownnames.cleaned $DIR/userunknownnames.filter
# 
# now we need to make two files, one for access - other for virtusertable
# for access  need to make a RHS  with DISCARD, and for virtuser, dictspam
sed "s/$/               $SPAMTRAPUSER/g" $DIR/userunknownnames.cleaned > \
$DIR/userunknownnames.virtusertable
sed 's/$/               DISCARD/g' $DIR/userunknownnames.cleaned > \
$DIR/userunknownnames.access
#
# -eof-


----------- example of useing relaydb for spam trap user
----------- cat ~spammeduser/.procmailrc ---------------
:0c
| /usr/local/bin/relaydb -b
#
# Work around procmail bug: any output on stderr will cause the "F" in 
"From"
# to be dropped.  This will re-add it.
:0
* ^^rom[ ]
{
  LOG="*** Dropped F off From_ header! Fixing up. "

  :0 fhw
  | sed -e '1s/^/F/'
}


--------------------------------------------------------------------
-------------------- possible way to use with spamd.conf -----------
--------------------------------------------------------------------
-------------cronjob this and mirror or put in webserver path for other
-------------servers to get file
/usr/local/bin/relaydb -4lbf /home/dictspam/.relaydb > \
/somedirectory/auto.cidr.txt

----------and maybe edit spamd.conf with
spamtrapuser:\
        :black:\
        :msg="SPAM. Your address %A is in my relaydb list.":\
        if this is an error, contact xyz to remedy ":\
        :method=file:\
        :file=/somedirectory/auto.cidr.txt


----------- or edit spamd.conf to do something like this
----------- ( i prefer the above in use)
relaydb-black:\
        :black:\
        :msg="SPAM. Your address %A is in my relaydb list.":\
        :method=exec:\
        :file=/usr/local/bin/relaydb -4lbf /home/dictspam/.relaydb:

Prev by Date: Warning: A file containing a e-mail virus was sent from your e-mail address.
Next by Date: Re: blocking new version of kazaa
Prev by thread: Warning: A file containing a e-mail virus was sent from your e-mail address.
Next by thread: run setiathome
Index(es):
- Date
- Thread