Attached is a plugin to implement the 'greylisting' algorithm proposed by Ed Harris at http://projects.puremagic.com/greylisting/ (and posted to the list a couple of weeks back by Jim Winstead). Greylisting is basically a more sophisticated version of denysoft filtering that tracks connections via (some or all of) a triplet of remote ip / sender / recipient, and uses timeout periods instead of simple connection counts or rates. The paper above is good reading if you're interested.
This is only lightly tested so far, so let me know of any issues. Results thus far: this is currently culling 70+% of my spam before any other filters get applied. Interestingly, I'm not seeing any great difference between tracking just ip addresses and using Harris' triplet (<5%), although the latter is obviously harder for a spammer to workaround. Cheers, Gavin
=head1 NAME denysoft_greylist =head1 DESCRIPTION Plugin to implement the 'greylisting' algorithm proposed by Ed Harris in http://projects.puremagic.com/greylisting/. Greylisting is a form of denysoft filter, where unrecognised new connections are temporarily denied for some initial period, to foil spammers using fire-and-forget spamware, http_proxies, etc. Greylisting adds two main features: it tracks incoming connections using a triplet of remote IP address, sender, and recipient, rather than just using the remote IP; and it uses a set of timeout periods (black/grey/white) to control whether connections are allowed, instead of using connection counts or rates. This plugin allows connection tracking on any or all of IP address, sender, and recipient (but uses IP address only, by default), with configurable greylist timeout periods. A simple dbm database is used for tracking connections. Relayclients are always allowed through. =head1 CONFIG The following parameters can be passed to denysoft_greylist: =over 4 =item remote_ip <bool> Whether to include the remote ip address in tracking connections. Default: 1. =item sender <bool> Whether to include the sender in tracking connections. Default: 0. =item recipient <bool> Whether to include the recipient in tracking connections. Default: 0. =item black_timeout <timeout_seconds> The initial period, in seconds, for which we issue DENYSOFTs for connections from an unknown (or timed out) IP address and/or sender and/or recipient (a 'connection triplet'). Default: 1 hour. =item grey_timeout <timeout_seconds> The subsequent 'grey' period, after the initial black blocking period, when we will accept a delivery from a formerly-unknown connection triplet. If a new connection is received during this time, we will record a successful delivery against this IP address, which whitelists it for future deliveries (see following). Default: 3 hours. =item white_timeout <timeout_seconds> The period after which a known connection triplet will be considered stale, and we will issue DENYSOFTs again. New deliveries reset the timestamp on the address and renew this timeout. Default: 36 days. =item testonly <bool> Testing flag - if this is set we log and track connections as normal, but never actually issue DENYSOFTs. Useful for seeding the database and testing without actually impacting deliveries. Default: 0. =back =head1 AUTHOR Written by Gavin Carr <[EMAIL PROTECTED]>. =cut BEGIN { @AnyDBM_File::ISA = qw(DB_File GDBM_File NDBM_File) } use AnyDBM_File; use Fcntl; my ($QPHOME) = ($0 =~ m!(.*?)/([^/]+)$!); my $DBDIR = -d "$QPHOME/var/db" ? "$QPHOME/var/db" : "$QPHOME/config"; my $DB = "$DBDIR/denysoft_greylist.dbm"; my $BLACK_DEFAULT = 1 * 3600 - 5 * 60; my $GREY_DEFAULT = 3 * 3600 + 10 * 60; my $WHITE_DEFAULT = 36 * 24 * 3600; sub register { my ($self, $qp, %arg) = @_; $self->{_greylist_ip} = $arg{remote_ip}; $self->{_greylist_sender} = $arg{sender}; $self->{_greylist_rcpt} = $arg{recipient}; $self->{_greylist_ip} = 1 if ! defined $self->{_greylist_ip}; $self->{_greylist_sender} = 0 if ! defined $self->{_greylist_sender}; $self->{_greylist_rcpt} = 0 if ! defined $self->{_greylist_rcpt}; $self->{_greylist_black} = $arg{black_timeout} || $BLACK_DEFAULT; $self->{_greylist_grey} = $arg{grey_timeout} || $GREY_DEFAULT; $self->{_greylist_white} = $arg{white_timeout} || $WHITE_DEFAULT; $self->{_greylist_testonly} = $arg{testonly}; # denysoft_greylist called from mail hook unless tracking recipients # Issue the DENYSOFT during rcpt, or post_data for null senders (smtp probes) $self->register_hook("mail", "mail_handler") unless $self->{_greylist_rcpt}; $self->register_hook("rcpt", "rcpt_handler"); $self->register_hook("post_data", "data_handler"); } sub mail_handler { my ($self, $transaction, $sender) = @_; my ($status) = $self->denysoft_greylist($transaction, $sender); $transaction->notes('denysoft_greylist', "This mail is temporarily denied") if $status == DENYSOFT; return (DECLINED); } sub rcpt_handler { my ($self, $transaction, $rcpt) = @_; my $sender = $transaction->sender; if ($self->{_greylist_rcpt}) { my ($status) = $self->denysoft_greylist($transaction, $sender, $rcpt); $transaction->notes('denysoft_greylist', "This mail is temporarily denied") if $status == DENYSOFT; } # SMTP probe workaround - defer DENYSOFT to post data if no sender address if ($sender->address) { my $note = $transaction->notes('denysoft_greylist'); return (DENYSOFT, $note) if $note; } return (DECLINED); } sub data_hander { my ($self, $transaction) = @_; my $note = $transaction->notes('denysoft_greylist'); return (DENYSOFT, $note) if $note; return (DECLINED); } sub denysoft_greylist { my ($self, $transaction, $sender, $rcpt) = @_; # Always allow relayclients return (DECLINED) if exists $ENV{RELAYCLIENT}; my $remote_ip = $self->qp->connection->remote_ip; my $fmt = "%s:%d:%d:%d"; # Check denysoft db tie my %db, 'AnyDBM_File', $DB, O_CREAT|O_RDWR, 0600 or return (DECLINED); my @key; push @key, $remote_ip if $self->{_greylist_ip}; push @key, $sender->address || '' if $self->{_greylist_sender}; push @key, $rcpt->address if $rcpt && $self->{_greylist_rcpt}; my $key = join ':', @key; my ($ts, $new, $black, $white) = (0,0,0,0); if ($db{$key}) { ($ts, $new, $black, $white) = split /:/, $db{$key}; $self->log(5, "ts: " . localtime($ts) . ", now: " . localtime); if (! $white) { # Black IP - deny, but don't update timestamp if (time - $ts < $self->{_greylist_black}) { $db{$key} = sprintf $fmt, $ts, $new, ++$black, 0; $self->log(2, "key $key black DENYSOFT - $black failed connections"); untie %db; return ($self->{_greylist_testonly} ? DECLINED : DENYSOFT); } # Grey IP - accept unless timed out elsif (time - $ts < $self->{_greylist_grey}) { $db{$key} = sprintf $fmt, time, $new, $black, 1; $self->log(2, "key $key updated grey->white"); untie %db; return (DECLINED); } else { $self->log(3, "key $key has timed out (grey)"); } } # White IP - accept unless timed out else { if (time - $ts < $self->{_greylist_white}) { $db{$key} = sprintf $fmt, time, $new, $black, ++$white; $self->log(2, "key $key is white, $white deliveries"); untie %db; return (DECLINED); } else { $self->log(3, "key $key has timed out (white)"); } } } # New ip or entry timed out - record new and return DENYSOFT $db{$key} = sprintf $fmt, time, ++$new, $black, 0; untie %db; $self->log(2, "key $key initial DENYSOFT, unknown"); return ($self->{_greylist_testonly} ? DECLINED : DENYSOFT); } 1;
