#!/bin/perl # # # THIS SCRIPT HAS BEEN REPLACED WITH popauth! # # #--------------------------------------------------------------------- # :TITLE: # erapers.pl # Block email harvesters aka email rapers. # # :DESCRIPTION: # People try random usernames on mail servers. This script watches the maillog file # and adds a block when someone submits an email with over 4 incorrect addresses. # # :VERSION: # .02 added, the (may be forged) in the regex # .01 original version # # :INSTALL: # set up the start stop script and a cron job. Check notes at end of this # file. Also, the rc.d (or inetd for Linux people) scripts are at the end of # this file. # # :AUTHOR: # Tue Sep 17 05:38:26 PDT 2002 , rudy A T monkeybrains net #--------------------------------------------------------------------- # grap the net, so we can relay everthing on this network. my $my_net = `/usr/bin/grep ifconfig_ /etc/rc.conf | /usr/bin/head -1`; $my_net =~ s/.*inet\s([0-9\.]{5,11}\.)\d.*/$1/s or ($my_net = '209.237.231'); print STDERR "Net = $my_net\n"; $RAPER_FILE = '/etc/mail/access.RAPERS'; while (<>) { if (/\[\d+\]: ([^:]+): [^:]+\.\.\. User unknown/) { $mark_id{$1}++; print "$1 $mark_id{$1}\n"; } elsif (/\[\d+\]: ([^:]+): from.*\[([0-9\.]{7,15})\]( .may be forged.)?$/ and defined $mark_id{$1}) { my $ip = $2; if ($mark_id{$1} > 4 and $ip !~ /^$my_net/) { # time to block IP! open A, "<$RAPER_FILE"; while () { /^$ip\ / or next; undef $ip; last; } close A; if ($ip) { open A, ">>$RAPER_FILE" or next; flock A, 2; seek A, 0, 2; print A "$ip 550 $ip blocked due to email harvesting. Contact support\n"; print "$ip 550 $ip blocked due to email harvesting. Contact support\n"; flock A, 8; close A; `/etc/mail/access.command.csh`; # be sure to write this little script! } } undef $mark_id{$1}; } } __END__ :NOTES: Adjust the regex's if your mail server spits out a different format in the maillog file. Sample log lines for sendmail from sendmail 8.12.x. Sep 17 02:54:07 pizza sm-mta[80948]: g8H90qdf080948: ... User unknown Sep 17 02:54:07 pizza sm-mta[80948]: g8H90qdf080948: ... User unknown Sep 17 02:54:08 pizza sm-mta[80948]: g8H90qdf080948: ... User unknown Sep 17 02:54:09 pizza sm-mta[80948]: g8H9s8df083014: from=, size=0, class=0, nrcpts=0, bodytype=8BITMIME, proto=ESMTP, daemon=MTA, relay=paperboy1.cdnow.com [12.33.58.160] ------------------------- access.command.csh ------------------------- #!/bin/csh chdir /etc/mail/ rm access.source cat access.source.MANUAL access.pophash access.RAPERS >> access.source /usr/sbin/makemap hash access.junk < /etc/mail/access.source; mv access.junk.db access.db ------------------------- root's crontab ------------------------- # You need to stop and start this script so it notices the new maillog file... # newsyslogd rotates the log at midnight (for most mail servers!) 58 23 * * * /usr/local/etc/rc.d/erapers.sh stop 3 0 * * * /usr/local/etc/rc.d/erapers.sh start ------------------------- /usr/local/etc/rc.d/erapers.sh -------------- #!/bin/sh GREP=/usr/bin/grep AWK=/usr/bin/awk LOGGER=/usr/bin/logger ERAPERS=/usr/local/sbin/erapers PIDFILE=/var/run/erapers.pid case "$1" in stop) if [ -f $PIDFILE ]; then kill -TERM `cat $PIDFILE` $LOGGER -p mail.info "Stopping erapers" sleep 1; fi for BADPID in `/bin/ps -ax | $GREP erapers | $GREP perl | $AWK '{print $1}'`; do echo "Bad erapers! killing!" sleep 2; kill -9 $BADPID done ;; -h) echo "Usage: `basename $0` { start | stop | restart }" ;; *) if [ -f $PIDFILE ]; then kill -TERM `cat $PIDFILE` $LOGGER -p mail.info "Restarting erapers" sleep 1; fi for BADPID in `/bin/ps -ax | $GREP erapers | $GREP perl | $AWK '{print $1}'`; do echo "Bad erapers! killing!" sleep 2; kill -9 $BADPID done $LOGGER -p mail.info "Starting erapers" $ERAPERS ;; esac