I've posted a new version of the uri_badip plugin I sent to the list a
week or two ago:
http://devin.com/qpsmtpd/uri_badip
As noted last time, uri_badip scans mail for URIs, looks up the hostname
and rejects or flags based on whether those IPs appear in a configured
list of network ranges. This lets one catch spam advertisting websites
hosted by spam-friendly ISPs, even when the spammer is using a freshly
registered domain name not yet recorded in one of the SURBL lists.
Changes:
- Entries in the config file can now also specify a particular
description for the range, after some whitespace, which will be noted
parenthetically in any header/reject message in the same style as is
usual for rhsbl/uribl messages.
- Switched from Net::CIDR::Lite to Net::CIDR, which is less costly for
this particular sort of test and made it possible to implement range
messaging. IP1-IP2 style ranges are now permissible in addition to
CIDRs, which is handy if you're working from WHOIS data to add new
entries to the list.
- Implemented domain name folding. This is an attempt to reduce lookup
costs for cases where the spammer has stuffed the mail with many
wildcarded URIs, e.g. word1.spamdomain.biz, word2.spamdomain.biz, etc.
Folding is available at any depth (it mainly makes sense at 2, which
would fold this case into a single query on spamdomain.biz, or into
the first observed host in that subdomain, hence a single query on
word1.spamdomain.biz).
- Added support for a hard-limit on how many queries to perform for a
given message; helps mitigate the risk of spammers or other attackers
stuffing in arbitrary hostnames simply to incur an extra burden on
the qpsmtpd host.
- Corrected a few log entries in code copied from uribl that still used
"URIBL" in header messages.
--
Devin \ aqua(at)devin.com, 1024D/E9ABFCD2; http://www.devin.com
Carraway \ IRC: Requiem GCS/CC/L s-:--- !a !tv C++++$ ULB+++$ O+@ P L+++
