Logging IP adresses of spammer's SMTP - SpamAssassin

This is a discussion on Logging IP adresses of spammer's SMTP - SpamAssassin ; Hi, I'd like to log IPs from "Received" headers to spamd's log file for statistics and further analysis (but only from messages marked as spam). I tried to modify the code of spamd program, but unsuccessfully, since I chose to ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: Logging IP adresses of spammer's SMTP

  1. Logging IP adresses of spammer's SMTP

    Hi,

    I'd like to log IPs from "Received" headers to spamd's log file for
    statistics and further analysis (but only from messages marked as spam).
    I tried to modify the code of spamd program, but unsuccessfully, since I
    chose to add it to parse_headers() subroutine, where only protocol
    specific headers are parsed (as it seems to me). This is probably not a
    right piece of source where to place this feature.
    I'm not a Perl programmer nor SA expert, so has anyone with more
    experience some idea, how to log spammers remote IPs? Thanks.

    Pavel


  2. Re: Logging IP adresses of spammer's SMTP

    Thinline Maillist wrote:
    > Hi,
    >
    > I'd like to log IPs from "Received" headers to spamd's log file for
    > statistics and further analysis (but only from messages marked as spam).
    > I tried to modify the code of spamd program, but unsuccessfully, since I
    > chose to add it to parse_headers() subroutine, where only protocol
    > specific headers are parsed (as it seems to me).


    parse_received_headers() (in Received.pm) is the function that parses
    the Received headers. it puts the relays in one of the X-Foo-Relays meta
    heatders (trusted, Untrusted, Internal, External).

    but if you do what you intend to do, be cautious:
    - SA is about heuristics: it doesn't say that a message is spam or not.
    it gives you a score. this may be right. this may be wrong.
    - if your trust path is misconfigured, the results may be arbitrary
    - you can get spam from "good" relays (mailing lists, subscribed to
    newsletters, ... etc).

    it is safer to use the results as a "reputation measure" instead of
    directly feeding a blacklist.


    > This is probably not a
    > right piece of source where to place this feature.
    > I'm not a Perl programmer nor SA expert, so has anyone with more
    > experience some idea, how to log spammers remote IPs? Thanks.


    if you don't want to code anything, just configure SA to add its meta
    headers (you only need the untrusted relays header) then when you
    deliver the message, use an MDA that can log this header (maildrop,
    procmail, or even a silly shell script with a 'grep -m 1
    "^X-Untrusted-Relays:"' call).


  3. Re: Logging IP adresses of spammer's SMTP

    maillists@thinline.cz (Thinline Maillist) writes:

    > I'd like to log IPs from "Received" headers to spamd's log file for
    > statistics and further analysis (but only from messages marked as
    > spam).
    > I tried to modify the code of spamd program, but unsuccessfully, since
    > I chose to add it to parse_headers() subroutine, where only protocol
    > specific headers are parsed (as it seems to me). This is probably not
    > a right piece of source where to place this feature.
    > I'm not a Perl programmer nor SA expert, so has anyone with more
    > experience some idea, how to log spammers remote IPs? Thanks.


    I add a Relay header using
    add_header all Relay trusted=_RELAYSTRUSTED_, untrusted=_RELAYSUNTRUSTED_
    Which adds a header that looks like:
    X-Spam-Relay: trusted=... , untrusted=[ ip=98.136.45.64 ... ] [ ip=69.147.65.154 ... ] [ ip=127.0.0.1 ... ] [ ip=216.203.115.218 ... ]
    I log the X-Spam-Relay header during message delivery in procmail.
    You may be able to do something similar.

    -jeff

  4. Re: Logging IP adresses of spammer's SMTP

    Thanks. I did a slight change in Received.pm to log only untrusted
    relays, all on one line for each mail (through enabling own debug channel).
    Now I'm gonna to write an analyzer, which will walk through spamd log
    daily and collect these records (only for spam with defined overscore)
    and add some host information (whois).

    I know it's a bad idea to feed my blacklist directly, so I will check
    and edit the output by hand and after that add it to rbl. This won't be
    too much work as most spam is coming to me from only few ips (or ip
    ranges) at this time.
    > Thinline Maillist wrote:
    >> Hi,
    >>
    >> I'd like to log IPs from "Received" headers to spamd's log file for
    >> statistics and further analysis (but only from messages marked as
    >> spam).
    >> I tried to modify the code of spamd program, but unsuccessfully,
    >> since I chose to add it to parse_headers() subroutine, where only
    >> protocol specific headers are parsed (as it seems to me).

    >
    > parse_received_headers() (in Received.pm) is the function that parses
    > the Received headers. it puts the relays in one of the X-Foo-Relays
    > meta heatders (trusted, Untrusted, Internal, External).
    >
    > but if you do what you intend to do, be cautious:
    > - SA is about heuristics: it doesn't say that a message is spam or
    > not. it gives you a score. this may be right. this may be wrong.
    > - if your trust path is misconfigured, the results may be arbitrary
    > - you can get spam from "good" relays (mailing lists, subscribed to
    > newsletters, ... etc).
    >
    > it is safer to use the results as a "reputation measure" instead of
    > directly feeding a blacklist.
    >
    >
    >> This is probably not a right piece of source where to place this
    >> feature.
    >> I'm not a Perl programmer nor SA expert, so has anyone with more
    >> experience some idea, how to log spammers remote IPs? Thanks.

    >
    > if you don't want to code anything, just configure SA to add its meta
    > headers (you only need the untrusted relays header) then when you
    > deliver the message, use an MDA that can log this header (maildrop,
    > procmail, or even a silly shell script with a 'grep -m 1
    > "^X-Untrusted-Relays:"' call).
    >
    >



  5. Re: Logging IP adresses of spammer's SMTP

    On Wed, 2008-09-03 at 12:01 +0200, Thinline Maillist wrote:
    > Now I'm gonna to write an analyzer, which will walk through spamd log
    > daily and collect these records (only for spam with defined overscore)
    > and add some host information (whois).
    >

    You might consider writing it as an additional logwatch filter. The
    benefit is that logwatch already provides the hooks to prevent a log
    entry being scanned more than once. Filters are quite easy to write and
    install. I've used gawk, but any scripting or programming language
    should be fine.

    Martin


+ Reply to Thread