Email Filtering Script

Hi All,

I run my own mailserver, which is running Postfix. I currently have a
few things coded into my config file to take advantage of many of the
blacklists.

However, recently I've been receiving spoofed messaged numbering in the
50's or 60's in one day.

I want to code a script that will reject email addresses if their IP is
in a list I create. I know that a .forward file can execute a script,
but how do I program it such that it throws away the email if it
matches an IP on my list?

Thanks!

Re: Email Filtering Script

amerar@iwc.net wrote:
> Hi All,
>
> I run my own mailserver, which is running Postfix. I currently have a
> few things coded into my config file to take advantage of many of the
> blacklists.
>
> However, recently I've been receiving spoofed messaged numbering in the
> 50's or 60's in one day.
>
> I want to code a script that will reject email addresses if their IP is
> in a list I create. I know that a .forward file can execute a script,
> but how do I program it such that it throws away the email if it
> matches an IP on my list?
>
> Thanks!
>

Not really a good idea because this method might cause you to discard
some good email along with the bad.

In any case, I would use procmail recipe for doing this.

Unix/Linux References:
man procmail
man procmailrc
man procmailsc
man procmailex

============================
# example procmail script that would filter based on a file
# containing a list of individual IP's

LOGFILE=${HOME}/procmail.log

# Define a newline character for use in LOG entries
NL="
"

BLACKLISTIPFILE=${HOME}/blacklist-ip-list.txt


# Enumerate the Recieved: headers, and store them in the ${RECEIVEDHEAD}
variable.
:0 W
* H ?? 1^1 ^Received:
{
RECEIVEDCOUNT=$=

# note the backticks below that launch an embedded shell script here.
# this stores the received headers into a variable without
# modifying the original lines in the mail. It will at the same
# time reformat those received headers all on one line, and replace
# any multiple tabs and spaces with single spaces. Also it will
# number the received lines which makes it easier later to
# specify which specific received header trace line in the chain that
# you want to parse.
RECEIVEDHEAD=`${FORMAIL} -cX"Received:" |\
cat -n |\
sed -e 's/\t/ /g' -e 's/[ ]\+/ /g' -e 's/^ //' -e 's/^[0-9]\+/&:/' `

# note: on some older systems you might have to replace
#
# [ ]\+ with [ ]\{1,\}
#
# and
#
# ^[0-9]\+ with ^[0-9]\{1,\}
#
# in the above sed line.

# Log what we just got for debugging. comment it out later when
# you are happy with it.
LOG="[$$]$_: Debug: RECEIVEDHEAD=${NL}${RECEIVEDHEAD}${NL}"
LOG="[$$]$_: Debug: RECEIVEDCOUNT=${RECEIVEDCOUNT}${NL}"
}

# extract the IP number from the first received header line
# The regular expression may need to be adjusted depending on
# the mail server software you are using.
# This expression will extract the IP from a Received: header
# line generated by sendmail.

:0
* RECEIVEDHEAD ?? ^1: Received: from .*\(.*\[\/[0-9.]+
{
IP1=${MATCH}
LOG="[$$]$_: Debug: extracted IP ${IP1} from first received header.${NL}"
}

# Check to see if the ip is in our blacklist file. If so,
# discard the email.
:0
* $ ? grep -Fx "${IP1}" ${BLACKLISTIPFILE}
{
LOG="[$$]$_: Found IP ${IP1} in ${BLACKLISTIPFILE}. Discarding
email.${NL}"
:0
/dev/null
}

# else do whatever

# Deliver the filtered email to inbox.
:0:
${DEFAULT}

Re: Email Filtering Script

This is a MIME GnuPG-signed message. If you see this text, it means that
your E-mail or Usenet software does not support MIME signed messages.
The Internet standard for MIME PGP messages, RFC 2015, was published in 1996.
To open this message correctly you will need to install E-mail or Usenet
software that supports modern Internet standards.

--=_mimegpg-commodore.email-scan.com-6427-1144795028-0005
Content-Type: text/plain; format=flowed; charset="US-ASCII"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

amerar@iwc.net writes:

>
> Hi All,
>
> I run my own mailserver, which is running Postfix. I currently have a
> few things coded into my config file to take advantage of many of the
> blacklists.
>
> However, recently I've been receiving spoofed messaged numbering in the
> 50's or 60's in one day.
>
> I want to code a script that will reject email addresses if their IP is
> in a list I create. I know that a .forward file can execute a script,
> but how do I program it such that it throws away the email if it
> matches an IP on my list?

Wrong approach. You did not indicate whether you are running a BSD variant
or Linux. Either way, you have a built-in firewall (iptables on Linux),
which you can use to block all traffic from a fixed list of IP addresses.



--=_mimegpg-commodore.email-scan.com-6427-1144795028-0005
Content-Type: application/pgp-signature
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQBEPC+Ux9p3GYHlUOIRAiDhAJ9DwvHe4G9wmcbruRhWhvKwxKMHbACe OtHp
btHOai8CFc8gDb/ltLQGpzg=
=5gOJ
-----END PGP SIGNATURE-----

--=_mimegpg-commodore.email-scan.com-6427-1144795028-0005--

Re: Email Filtering Script

Sorry about that. I am running Red Hat 9.0.

In addition, that script from Garen looks a bit complex. Is that
really the only way? What about using the /etc/posting/access file to
eliminate the IP's along with the smtpd_client_restrictions parameter?

Re: Email Filtering Script

This is a MIME GnuPG-signed message. If you see this text, it means that
your E-mail or Usenet software does not support MIME signed messages.
The Internet standard for MIME PGP messages, RFC 2015, was published in 1996.
To open this message correctly you will need to install E-mail or Usenet
software that supports modern Internet standards.

--=_mimegpg-commodore.email-scan.com-24985-1144883506-0007
Content-Type: text/plain; format=flowed; charset="US-ASCII"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

amerar@iwc.net writes:

>
> Sorry about that. I am running Red Hat 9.0.
>
> In addition, that script from Garen looks a bit complex. Is that
> really the only way? What about using the /etc/posting/access file to
> eliminate the IP's along with the smtpd_client_restrictions parameter?

Beats me. When I opened your message, the above is the only thing I saw,
with absolutely no indication of what you were referring to.

I read a lot of messages everyday, from many people, and I can't remember
every detail of every message that I might've read a couple of days ago. So
when I read this latest reply of yours, I had no idea what you were talking
about.

Of course, I could go out and search this newsgroup for whatever message
you've replied to, and read up on it to refresh my memory. But asking other
people to do this is rather rude. If you notice, when everyone else
replies, they include the relevant portion of the message they're replying
to, in their reply, just like I did now.

This is common courtesy, and you need to learn to do the same.

And before you reply any further, I'm pretty sure that it's a good idea for
you to also read the following:

http://en.wikipedia.org/wiki/Top-posting




--=_mimegpg-commodore.email-scan.com-24985-1144883506-0007
Content-Type: application/pgp-signature
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQBEPYkyx9p3GYHlUOIRApRtAJ42zq1gq6abcbI77a3HeROr5lJ00ACf cibK
+nG2rVIyJFT6tuYo4sbVhpw=
=YtyE
-----END PGP SIGNATURE-----

--=_mimegpg-commodore.email-scan.com-24985-1144883506-0007--

Re: Email Filtering Script

Sam wrote:
> amerar@iwc.net writes:
>
> > Sorry about that. I am running Red Hat 9.0.
> >
> > In addition, that script from Garen looks a bit complex. Is that
> > really the only way? What about using the /etc/posting/access file to
> > eliminate the IP's along with the smtpd_client_restrictions parameter?
>
> Beats me. When I opened your message, the above is the only thing I saw,
> with absolutely no indication of what you were referring to.
>
> I read a lot of messages everyday, from many people, and I can't remember
> every detail of every message that I might've read a couple of days ago. So
> when I read this latest reply of yours, I had no idea what you were talking
> about.
>
> Of course, I could go out and search this newsgroup for whatever message
> you've replied to, and read up on it to refresh my memory. But asking other
> people to do this is rather rude. If you notice, when everyone else
> replies, they include the relevant portion of the message they're replying
> to, in their reply, just like I did now.
>
> This is common courtesy, and you need to learn to do the same.

Your criticism is justified, but "Of course, I could go out and search
this newsgroup for whatever message you've replied to, and read up on it
to refresh my memory." is rather over the top. It indicates a severe
limitation in your newsreader or your unfamiliarity with its
capablities. No "search" should be neccessary. Every decent newsreader,
'even' Outlook Express, has a 'show parent article' facility. For mine,
tin, it's just one keypress, 'u' (up the tree). Big deal!

So feel free to criticize and educate people, but please use valid
arguments. The "search" one isn't.

> And before you reply any further, I'm pretty sure that it's a good idea for
> you to also read the following:
>
> http://en.wikipedia.org/wiki/Top-posting