This is release 0.1 of dialin-spammer-blocker Copyright (C) 2002, Marco Steinacher, Init Seven AG http://www.init7.net ABOUT dialin-spammer-block can be used to detect and block dialin clients that try to send send spam over your mailserver. A spammer is detected by watching the mailserver logfile and counting the mails sent by each dialin client. If a client exceeds the limit of mails that may be sent during a certain amount of time, the client will be blocked to relay further mails on your mailserver until the RADIUS server reports that the client has disconnected. A good thing is to use it together with port 25 redirection for dialin customers. See http://www.init7.net/anti-spam for details. STATUS Please note that this is BETA-software that has NOT been tested on many systems with different configurations. COPYRIGHT Copyright (C) 2002, Marco Steinacher, Init Seven AG http://www.init7.net dialin-spammer-block is free software. See the file COPYING for copying conditions. CONTACT Send bug reports, suggestions, comments to msteinacher@init7.net. REQUIREMENTS - perl - the following perl-modules from CPAN (www.cpan.org) - File::Tail - DB_File - a SMTP daemon that uses DB hash files to restrict relay access and writes logfiles similar to sendmail For RADIUS support: - a RADIUS server that cat execute external programs triggered by a accounting-stop message (e.g. freeradius) - ssh on the RADIUS server and the mailserver INSTALLATION (with example paths and filenames) 1. Unpack the archive - tar -xvzf dialin-spammer-block-1.0.tar.gz 2. Copy the file dialin-spammer-block to a desired location - cp dialin-spammer-block /usr/sbin/ 3. Copy the init.d-script to your init.d directory and create the required links - cp initd-script /etc/init.d/dialin-spammer-block - ln -s /etc/init.d/dialin-spammer-block /etc/init.d/rc3.d/S20dialin-spammer-block - ln -s /etc/init.d/dialin-spammer-block /etc/init.d/rc3.d/K20dialin-spammer-block Don't forget to set the correct filenames and path in the script! [ If you don't want RADIUS support the installation is done now. Please note that a IP will be blocked until the maximum block time limit is reached without RADIUS support. If an other customer gets that IP in the meantime he is not able to relay mail. ] 4. Copy the unlock-spammer-ip file to a desired location on the RADIUS server - scp unlock-spammer-ip radius:/etc/raddb/ 5. Make shure that the RADIUS user (which should be an UNPRIVILEGED user such as nobody!) may execute commands automatically on the mailserver using ssh with RSA authentication. i.e. create and exchange the ssh-key for the UNPRIVILEGED user CONFIGURATION 1. Configuration of dialin-spammer-block There is a configuration block at the top of the script, where you can customize the program: 1.1 $debug Set this option to 1 if you want to get more output. If it is set to 0 only the detected spammers are logged. 1.2 $logfile The full path of the mailserver logfile where the MAIL FROM and the RECV TO log records can be found. e.g. my $logfile="/var/log/mail"; 1.3 $dbfile The full path to a DB hash file that your mailserver uses to restrict mail relay. PLEASE NOTE: i) The file will be overwritten/created by this script!! ii) The extension '.db' will be appended automatically and must NOT be included here i.e. if you specify the name 'access' here the file 'access.db' will be created/overwritten and the file 'access' will not be touched if it exists. There are two possibilities: a) You use a new, separate file e.g. my $dbfile="/etc/mail/dialin-spammer-block" Then you have no problem with existing files but YOU HAVE TO CONFIGURE YOUR MAILSERVER so that the DB file will be used to restrict relay access (like the sendmail access file). b) You use an existing file, that is used by the mailserver to restrict relay access e.g. my $dbfile="/etc/mail/access" Then you have to configure this program to include the records from the plaintext file in order to join the static entries in the textfile with the dynamically created records (see 1.7). 1.4 $mxlimit and $period Here you can define what will be supposed to be a spamming attempt. i.e. you can specify how many mails ($mxlimit=RCPT TO mailserver log records) a user may send per $period seconds until he will be blocked. 1.5 $clearperiod This specifies a timeout in seconds that deletes all blocked IPs from the DB. That means this is the maximum duration that an IP can be blocked. This timeout is only relevant if you don't have RADIUS support (see above) or if the communication to the RADIUS server fails or some- thing in order to prevent that an IP will be blocked 'forever'. 1.6 $mailfrom and $mailto Who want's to be informed when a spammer is detected? 1.7 $include_accessdb Specify a plaintext file (sendmail access-file format) that will be included in the DB hash. This is only relevant if you use an existing DB file of the mailserver (see 1.3 b) e.g. if you have your sendmail relay restrictions defined in the file /etc/mail/access you can use the file /etc/mail/access.db as the DB file with my $dbfile="/etc/mail/access"; and include the records from /etc/mail/access with my $include_accessdb="/etc/mail/access"; If you don't need this set $include_accessdb=""; 1.8 $pat1 Here you must define a regex pattern that matches all (and only) the MAIL FROM records in the mailserver logfile of the clients that should be checked for spamming and eventually be blocked. YOU HAVE TO CUSTOMIZE THE PART AFTER relay= TO MATCH YOUR DIALIN-CLIENTS e.g. set it to 'relay=dial-\d+\d+\.init7.net' if your dialin clients get hostnames like 'dial-136-5.init7.net' A pattern for sendmail should look like: [a] [b] [c] my $pat1 = '^(... .. ..:..:..) \S+ sendmail\[\d+\]: (\S+): from=(\S+) ,.* relay=dial-\d+-\d+\.your_domain\.net \[(\d+.\d+.\d+.\d+)\]'; [d] The regex should return the time[a], the message-id[b], the from-address[c] and the client IP[d] in this order. Look at your logfile and choose an appropreate pattern. 1.9 $pat2 The regex pattern that matches all RCPT TO record in the mailserver logfiles. A pattern for sendmail looks like: [a] [b] my $pat2 = '^(... .. ..:..:..) \S+ sendmail\[\d+\]: (\S+): to=(\S+),.*'; [c] The regex should return the time[a], the message-id[b], and the to-address[c] in this order. 1.10 $fi These parameters control how closely the watcher tries to follow the logfile, which affects how much resources it consumes, and how quickly the client will be blocked after reaching the $mxlimit. For details see the documentaton of the File::Tail perl module. 2. Configuration of the RADIUS server 2.1 Configure unlock-spammer-ip Set the variable MAIL_SERVER in the script unlock-spammer-ip to the hostname oder IP-address of your mail server. 2.2 Configure radiusd Configure your RADIUS server so that every stop-accounting-message will trigger the execution of unlock-spammer-ip with the Framed- IP-Address as argument. e.g. With freeradius you can do this by adding the following to the file acct_users: DEFAULT Acct-Status-Type == Stop Exec-Program-Wait := "/etc/raddb/unlock-spammer-ip '%{Framed-IP-Address}'" Make shure that you the files-module is activated in the preacct- section in your RADIUS configuration file. END