All the Perl that's Practical to Extract and Report

postfix log

LTjake on 2004-01-07T02:31:30

After checking out Andy's log file analyzer, I decided to give it a try.

The first few lines of the ouput for this month (so far...) follows:

7460 unknown: (lots of ip addresses here)
6616 usgate01.e-mail.com: 204.146.55.141 (6616)
3832 usgate02.e-mail.com: 204.146.55.142 (3832)
3649 m12.itconsult.net: 193.201.42.12 (3649)
2667 usgate04.e-mail.com: 204.146.55.144 (2667)
2424 smtp.everyone.net: 216.200.145.17 (2424)
1763 nmho11u.rohmhaas.com: 136.141.2.13 (1763)
542 defout.telus.net: 199.185.220.240 (542)
526 nysmtp.comforce.com: 167.206.141.29 (526)
442 uran.kharkiv.net: 194.44.156.30 (442)
377 sec.uk.pi.se: 194.177.170.10 (377)

Does that seem rather large to any of you??

that's it??

scrottie on 2005-03-09T23:18:14

wow - must be a virgin system. After about 4 years, attempts to connect are just about soaking up the entire T1. Try running something like this just to tell these bastards to smeg off:
#!/usr/bin/perl

use IO::Handle;
use POSIX;

# process all bans for the recently passed out (10 minutes ago)

my $timestamp = strftime "%b %e %H:", localtime(time() - 600); # eg, "Oct  7 02:"

my $recv;
my $count = 0;

open my $spam, '<', '/var/log/maillog' or die $!;

if(-s $spam > 10000*80) {
    # if longer than about 10,000 "lines", seek relative the end
    print "Seeking relative the end - long file\n";
    seek $spam, - 10000*80, 2;
    <$spam>;
}

while(my $log = <$spam>) {
    last if $timestamp eq substr $log, 0, length $timestamp;
}

while(my $log = <$spam>) {

    # Aug 30 11:09:35 straylight postfix/smtpd[17179]: NOQUEUE: reject: RCPT from mail.marvelconsultants.com[66.94.77.249]: 450 <alee@illogics.org>
: Recipient address rejected: User unknown in local recipient table; from=<> to=<alee@illogics.org> proto=ESMTP helo=<marvelconsultants.com>

    next unless $log =~ m/User unknown in local recipient table/;

    (my $rechost, my $recip) = $log =~ m/reject: RCPT from ([a-z0-9.-]+)\[([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\]/i;
    next unless $recip;

    $spammers{$recip}->[0]++;
    $spammers{$recip}->[1] ||= $rechost;
    $spammers{$recip}->[2] ||= $recip;

    $count++;

}

print("processed $count messages\n");

my @spammers = sort { $b->[0] <=> $a->[0] } grep { $_->[0] > 2 } values %spammers;

open my $access, '>>', '/etc/postfix/access' or die $!;
flock $access, 2;
foreach my $spammer (@spammers) {
  my $gag = "$spammer->[2] REJECT # $spammer->[0]: $spammer->[1]\n";
  print $gag;
  $access->print($gag);
}

system('/usr/local/sbin/postmap', '/etc/postfix/access') if @spammers;
Run that from cron. Of course, this requires
smtpd_delay_reject = no
smtpd_client_restrictions = hash:/etc/postfix/access
... otherwise it won't use the access file and won't wait until they try to rcpt to someone to deny them. But you probably want a lot more things on the smtpbd_client_restrictions line:
smtpd_client_restrictions = hash:/etc/postfix/access,
    reject_rbl_client l2.spews.dnsbl.sorbs.net,
    reject_rbl_client list.dsbl.org,
    reject_rbl_client relays.ordb.org,
    reject_rbl_client dnsbl.sorbs.net,
    reject_rbl_client sbl-xbl.spamhaus.org
That should kill 70% of the incoming connections. I have a long running thread in my journal about my spam wars, if you're curious. Suffice to say there are a hell of a lot of machines out there to be banned - millions of them.

-scott

Re:that's it??

LTjake on 2005-03-14T16:18:12

Hey!

Thanks for the tip! I decieded to test the rbl stuff by just entering the rbls in the smtpd_client_restrictions section -- my spam has gone down 10-fold.

If you're curious, you can see some mail stats here

Thanks again.

Re:that's it??

scrottie on 2005-03-14T16:41:52

That's *almost* it. A should mention a few other things - that's an intelligent choice of RBLs. Those collectively look for open proxies, dial-up/DSL/cable lines at major ISPs, and known spammers. However, sooner or later, you're going to stumble on something blacklisted that you actually want mail from - my machine, slowass.net, has been blacklisted forever on SPEWS because someone once did something bad on the netblock years ago so the netblock is considered "spammer owned". If you're running a mail gateway for a company and you have employees working at home who should be able to send mail using the work server (such as to other employees), then the dialup lines black list will bite you. That bit me. In these cases, if you can identify which IP you want to get mail from, you can add a line like 1.2.3.4 OK to the /etc/postfix/access file and run postmap again. This works if people who email you or email through your server also have your cell phone number and can call you when email bounces =)

-scott