SquidGuard is a URL redirector used to use blacklists with the proxysoftware Squid. There are two big advantages to squidguard: it is fast and it is free.
validrcpt2rbl
USE WITH CAUTION While this script did block a lot of addresses, I found a few false positives cropped up. A trainable spam filter like dspam might be better.
Sooner or later, some spammer will start bombarding your mail server with Dictionary Spamming or Directory Harvest Attacks on your mail server. They will flood your server attempting to deliver to randomly or semi-randomly generated email addresses in order to force some spam through and/or discover valid email addresses on your server.
Looking in your SMTP logs, you see dozens, hundreds...maybe even thousands of messages to addresses such as:
TiarankMccracken@yourdomain.com
LorimembraneWalden@yourdomain.com
marisubsidiary@yourdomain.com
marylouantherdow@yourdomain.comJohn Simpson's validrcptto.cdb patch is the best place to start with minimizing the impact of these spam attacks on your server. Rather than wasting resources on your server accepting the message and doing virus and spam scans on it before finding out that the user doesn't exist, you can reject the message right in the SMTP connection.
The validrcptto.cdb patch supports a VALIDRCPTTO_LIMIT environment variable which lets you specify how many RCPT commands with nonexistent email addresses will be accepted before the client is hung up on. Unfortunately, most spammers only try one address per SMTP connection so this option is not as effective in practice as it is in theory.
Analysing the information which validrcptto puts into the SMTP log files starts to reveal some interesting information about these dictionary /directory attacks. In some cases the same IP tries repeatedly over the span of a day, week, even months to send mail. In other cases, an IP address only tries once, but there are dozens, hundreds or even thousands of IP addresses doing that.
Once you are using validrcptto on your server, minimal system resources are spent dealing with these connections, But, if you have implemented an internal RBL with rbldns, you could add these spammer IPs to your blacklist and waste even less time and resources. Plus, in the event that one of these spammer IPs does get a legitimate email address on your server, it still won't be accepted!
validrcpt2rbl
The validrcpt2rbl script is my solution to parse SMTP service logs and extract IP addresses of spammers who are trying to use dictionary attacks to find legitimate addresses on my server. At the same time, I also don't want to block legitimate senders who might have mispelled an email address.
How it works
Firstly, the script counts how many times each IP address has triggered validrcptto "errors" with non-existent email addresses. If an address has triggered more than 10 times, it will be added to the RBL. It IS possible that the IP could be a legitimate sender, however, they aren't being very careful about making sure that they are properly addressing their message.
Secondly, the script looks at all the non-existent email addresses and determines the likelihood that they are a legitimate typo versus an address forged by a spammer. It determines this by calculating the Levenshtein distance (online demo) between the non-existent address and the addresses that do exist on the server (pulled from /var/qmail/control/validrcptto.cdb. If the non-existent address has a Levenshtein Distance of 5 or less compared to one of the legitimate addresses, than the sender's IP will not be blacklisted. The distance of 5 should be conservative enough to prevent accidentally blacklisting an IP due to an accidental mispelling of an email address.
Prerequisites
In order to use this script, there are a few things that your server should have:
- validrcptto.cdb - probably installed as part of John Simpson's Combined Patch
- convert-multilog - Another John Simpson work, the convert-multilog script will, among other things, break up your SMTP log into individual daily files. This will allow us to easily use validrcpt2rbl on a daily basis.
- RBL black and whitelists - This whole exercise is pointless without a blacklist to put the IP addresses into. It's also prudent to have a whitelist in the event that legitimate sender IP's get blacklisted. There are rbldns installation instructions on this site explain how to set up white and blacklists.
- Perl modules - the script requires the
Tie::Hash::MultiValue,Text::LevenshteinXSandCDB_Filemodules for Perl. They can be installed from CPAN.
Installation
cd /usr/local/bin
wget http://www.dwadson.com/files/scripts/validrcpt2rbl.pl
mv validrcpt2rbl.pl validrcpt2rbl
chmod ugo+x validrcpt2rblRunning the script
Usage: validrcpt2rbl [ -a ] [ -n <number> ] [ -h ] [ -q ] <logfile> [ <logfile2> ... ]
-a
Add the files to the RBL, otherwise display results only.
-n <number>
Specify the number of validrcptto errors needed to blacklist an IP.
-h
Display full help text.
-v
Verbose - display the IP addresses being blacklisted.- Log in to post comments
Credits
Various bits of code, scripts, and procedures were put together with information from John Simpson's qmail.jms1.net website. It's an excellent resource on managing and setting up a Qmail server.