ONLamp.com
oreilly.comSafari Books Online.Conferences.

advertisement


SpamShield: A Perl-Based Spam Filter for sendmail
Pages: 1, 2

Configuring SpamShield

Note this configuration example is BSD-dependent, in that we use /var/log/maillog for all MAILER-DAEMON messages. Other Unix variants use /var/log/messages. This option is configurable within the syslogd.conf file on most systems. For more help with syslog, see Michael Lucas's ONLamp article on syslog configuration.



Now edit the Perl script, spamshield.pl, using your favorite editor. I suggest you use a "long line" editor, such as vi. Follow these steps:

  • Point the Perl path to the proper location of your perl5 interpreter in the first line. In most cases, this should be /usr/bin/perl. On other systems, this may be /bin/perl. The line should look something like this: #!/usr/bin/perl. (For those of you who have not done any Perl scripting, do not remove the hash mark (#) before the (!). It belongs there, and is not an uncommented line.

    To find the path where Perl resides, enter:

    Command: which perl
  • Set $log to the location of your sendmail logfile: /var/log/maillog in most cases (or /var/log/messages).
  • Set $lastlines to the number of most recent log file lines you want the program to look at. The default is 1500, representing 4-8 hours of mail on a small system.
  • Set $spamthreshold to the number of emails that may be received from any single source IP within the number of lines configured above, before considering the source to be a spamming host.
  • Set $dontblock to a file that has a plain one-by-line list of IP hosts that are never to be blocked. This includes, for example, your own IP number and that of the loopback interface (127.0.0.1). Warnings about spam from the hosts listed will still be mailed out!
  • Look at the $blockactive file to see what blocks are currently active. You should manually edit this file after a spam has been dealt with, so that the program ignores future connections from this host.
  • Set $blockignore to a file that has a plain one-by-line list of IP hosts that Kai's SpamShield will never complain about, or take any action about. This is usually all of your own mailhosts, if they relay mail to each other, and are usually hosts that run SpamShield themselves. This avoids a spammer that creates a spam storm, where mail servers start ignoring each other.
  • Set $securetmp to a directory (the default is /usr/local/spamcontrol/) where temporary files can be created safely; e.g., the directory is owned by the owner of this program, and no one else has permission to write to it.
  • Set $blackhole to an unused IP number on your local subnet, or you will get errors that route is not reachable. This is the route all traffic to undesired hosts is redirected to. Take care not to use this IP number for anything else. Leave undefined (comment out) if you do not wish to use IP blocking.
  • Set $maintainer to contain a comma-separated list of email addresses that are to be notified of any spam activity. Note that @ must be escaped as \@ in perl. Leave undefined (comment out) to not send any mail to anyone.
  • Define the locations of the following programs on your system, defaults:
    $SENDMAIL="/usr/sbin/sendmail"; 
    $TAIL="/usr/bin/tail"; 
    $AWK="/usr/bin/awk"; 
    $GREP="/usr/bin/grep"; 
    $SORT="/usr/bin/sort"; 
    $CAT="/bin/cat"; 
    $DATE="/bin/date"; 
    $ROUTE="/sbin/route"; 
    $WINNUKE="/usr/local/spamcontrol/winnuke"; (optional, used to crash Windows 
               systems that send spam - only use with discretion)

Here is a copy of my customized script:

##################################################### 
# User-defined parts below # 
##################################################### 
$log = "/var/log/maillog";  
# sendmail log location 
$lastlines=1500;  
# how many lines at the end of the log should we look at 
$spamthreshold=200;  
# this is how many mails can be seen from a single IP 
# in the last $lastlines lines in the logfile before 
# considering it spam. Adjust this to accomodate 
# busy systems and events like coming up after a 
# long downtime (when a lot of mail will be delivered 
# from various hosts or from the secondary MX) 
$dontblock="/usr/local/spamcontrol/dontblock";  
# list of IP hosts that 
# are never to be blocked 
$blockactive="/usr/local/spamcontrol/blocked";  
# these hosts are currently 
# blocked by SpamShield 
# for sysadmin review 
$blockignore="/usr/local/spamcontrol/blockignore";  
# be silent about these ones 
$securetmp="/usr/local/spamcontrol";  
# enter directory name that cannot be 
# used by anyone except the uid under 
# which this program is run 
$blackhole="209.204.146.22";  
# this **MUST** be an unused IP number on the 
# local network, or error messages and chaos 
# might ensure. undefine to not add a route, 
# this should only be used on machines with 
# known stable routing engines. 
# who will receive alerts ? undefine to stop mail alerts 
$maintainer="glenn\@networkinformation.com"; 
# define locations of programs below, systems vary 
$SENDMAIL="/usr/sbin/sendmail"; 
$TAIL="/usr/bin/tail"; 
$AWK="/usr/bin/awk"; 
$GREP="/usr/bin/grep"; 
$SORT="/usr/bin/sort"; 
$CAT="/bin/cat"; 
$DATE="/bin/date"; 
$ROUTE="/sbin/route"; 
# $WINNUKE="/usr/local/spamcontrol/winnuke";  
# define if retaliatory action desired -  
# WARNING, use WINNUKE at your own risk! 
##################################################### 
# End of user-defined parts # 
#####################################################

Testing SpamShield For the First Time

Run ./spamshield.pl as root by hand, note any and all errors encountered (usually the result of mis-defined variables), then correct them. Ensure that your variable paths are correct!

After running ./spamshield.pl for the first time, you should have the following files under the directory /usr/local/spamcontrol:

  • blocked - current list of blocked sites, serves as log of past activity.

  • blockignore - list of IPs that are always ignored and never acted upon.

  • dontblock - list of IPs that are never blocked, but will cause spam alarms.

  • spamshield.pl - the program.

  • ss-ipstats - list of how many emails have been received from which IP host (after program has run).

  • ss-mailstats - list of every maillog line condensed into three space-separated parameters: IP number, number of recipients in this batch, and sender address used on From_ line. This makes for easy grepping and sorting for other purposes.

In order to correct any difficult errors, try increasing the DEBUG value.

Running from the Crontab

For optimal performance, run the program automatically every three minutes from cron, and set your system crontab to look something like this:

*/3 * * * /usr/local/spamcontrol/spamshield.pl 

On some Unix systems, you need to redirect the output of cron to /dev/null to avoid receiving emails to root each time the script is run. I typically add the following to the end of each cron line to direct the output from runlevel 2 and 1 to /dev/null:

*/3 * * * /usr/local/spamcontrol/spamshield.pl 2>/dev/null 1>/dev/null 

To Sum Up

SpamShield has taken a sensible approach to filtering spam.

Despite an array of products that claim to block spam mail, I have yet to find one that is 100 percent perfect. Most filters work to a degree, while others add yet another layer of inconvenience to the end user.

Simply put, SpamShield does what it was designed to do. As new versions evolve, I have confidence that this product will become ever more popular.

Read More About SpamShield

Log on to www.spamshield.org/ to read Kai's latest rants -- a little on Spam, a little on the rest of the world. And coming soon, version 2.0.

Glenn Graham has been working with telecommunications since 1977.


Return to ONLamp.com.



Sponsored by: