From b4e19988a065c66149d23d498e37cc19a72947dc Mon Sep 17 00:00:00 2001
From: Scott Ullrich <sullrich@pfsense.org>
Date: Mon, 20 Mar 2006 03:52:50 +0000
Subject: Add script that will download a list of email addresses from a site
 then compare each grey listing entry in spamd against the downloaded list for
 dictionary attackers, etc.   Spam trap the dictionary attackers email to
 address and also add the server ip address to the blacklist.

---
 packages/spamd_verify_to_address.php | 125 +++++++++++++++++++++++++++++++++++
 1 file changed, 125 insertions(+)
 create mode 100644 packages/spamd_verify_to_address.php

diff --git a/packages/spamd_verify_to_address.php b/packages/spamd_verify_to_address.php
new file mode 100644
index 00000000..cca3bba7
--- /dev/null
+++ b/packages/spamd_verify_to_address.php
@@ -0,0 +1,125 @@
+#!/usr/local/bin/php -q
+<?php
+
+/*
+ *    pfSense spamd mousetrap
+ *    (C)2006 Scott Ullrich
+ *
+ *    Reads in an external list of c/r
+ *    seperated valid e-mail addresses
+ *    and then looks to see waiting grey-
+ *    listed servers.   if the server is
+ *    sending to an invalid e-mail address
+ *    then add them to spamtrap.
+ *
+ *    XXX:
+ *        * Add flag to blacklist a server after receiving X
+ *          attempts at a delivery with invalid to: addresses.
+ *
+ */
+
+require("config.inc");
+require("functions.inc");
+
+/* path to script that outputs c/r seperated e-mail addresses */
+$server_to_pull_data_from = "http://10.0.0.11/exchexp.asp";
+
+/* to enable debugging, change false to true */
+$debug = true;
+
+if($debug)
+        echo "Downloading current valid email list...\n";
+/* fetch down the latest list from server */
+if($debug) {
+    /* fetch without quiet mode */
+    exec("fetch -o /tmp/emaillist.txt {$server_to_pull_data_from}");
+} else {
+    /* fetch with quiet mode */
+    exec("fetch -q -o /tmp/emaillist.txt {$server_to_pull_data_from}");
+}
+
+/* test if file exists, if not, bail. */
+if(!file_exists("/tmp/emaillist.txt")) {
+    if($debug)
+        echo "Could not fetch $server_to_pull_data_from\n";
+    exit;
+}
+
+/* clean up and split up results */
+$fetched_file = strtolower(file_get_contents("/tmp/emaillist.txt"));
+$valid_list = split("\n", $fetched_file);
+$grey_hosts = split("\n", `spamdb | grep GREY`);
+
+if($fetched_file == "")
+        exit(-1);
+
+if($debug) {
+    /* echo out all our valid hosts */
+    foreach($valid_list as $valid)
+        echo "VALID: ||$valid||\n";
+}
+
+$current_blacklist = split("\n", `cat /var/db/blacklist.txt`);
+
+/* traverse list and find the dictionary attackers, etc */
+foreach($grey_hosts as $grey) {
+    if(trim($grey) == "")
+        continue;
+    /* clean up and further break down values */
+    $grey_lower = strtolower($grey);
+    $grey_lower = str_replace("<","",$grey_lower);
+    $grey_lower = str_replace(">","",$grey_lower);
+    $grey_split = split("\|", $grey_lower);
+    $email_from = strtolower($grey_split[2]);
+    $email_to   = strtolower($grey_split[3]);
+    $server_ip  = strtolower($grey_split[1]);
+    if(in_array($server_ip, $current_blacklist)) {
+        if($debug)
+                echo "$server_ip already in blacklist.\n";
+        continue;
+    }
+    if($debug)
+        echo "Testing $email_from | $email_to \n";
+    if (in_array($email_to, $valid_list)) {
+        if($debug)
+            echo "$email_to is in the valid list\n";
+    } else {
+        /* spammer picked the wrong person to mess with */
+        if($server_ip) {
+            if($debug)
+                    echo "/usr/local/sbin/spamdb -a $server_ip -t\n";
+            exec("/usr/local/sbin/spamdb -d {$server_ip} 2>/dev/null");
+            exec("/usr/local/sbin/spamdb -d {$server_ip} -T 2>/dev/null");
+            exec("/usr/local/sbin/spamdb -d {$server_ip} -t 2>/dev/null");
+            if($debug)
+                echo "/usr/local/sbin/spamdb -a \"<$email_to>\" -T\n";
+            exec("/usr/local/sbin/spamdb -a \"<$email_to>\" -T");
+            system("echo $server_ip >> /var/db/blacklist.txt");
+            $result = mwexec("/usr/local/sbin/spamdb -a $server_ip -t");
+        } else {
+            if($debug)
+                echo "Could not locate server ip address.";
+        }
+        if($debug)
+            echo "Script result code: {$result}\n";
+    }
+}
+
+mwexec("killall -HUP spamlogd");
+
+if($debug) {
+    echo "Items trapped:              ";
+    system("spamdb | grep TRAPPED | wc -l");
+    echo "Items spamtrapped:          ";
+    system("spamdb | grep SPAMTRAP | wc -l");
+}
+
+mwexec("/sbin/pfctl -q -t blacklist -T replace -f /var/db/blacklist.txt");
+mwexec("/sbin/pfctl -t blacklist -T show | cut -d\" \" -f4 > /var/db/blacklist.txt");
+
+if($debug) {
+        echo "Items in blacklist.txt: ";
+        system("/sbin/pfctl -t blacklist -T show | wc -l");
+}
+
+?>
-- 
cgit v1.2.3