Milter-greylist

Emmanuel Dreyfus wrote:
 > This is not related to milter-greylist, but perhaps you guys have some
 > expericence on the topic:
 > 
 > My domain is under a flood of spams for viagra. All the messages are 
 > different. The only thing they have in common is that the URL they
 > contain resolve to the same IP address (the domain name of the URL is
 > also different on each spam I saw). The IP is 211.144.68.87, FWIW.
 > 
 > In order to filter that, I should grab the URL from the message, 
 > resolve the address and blacklist if it's the infamous IP. 

I don't know if this is helpful for you, but maybe it is.
Some time ago had a similar problem and wrote a small
script in Python.  It reads a single mail from stdin,
scans it for HTTP links, extracts the domain name, tries
to resolve the IP address and compares it with a hardcoded
list of addresses.  It exits with code 1 if a match is
found, otherwise exit code 0.  I call it using maildrop
(see http://www.courier-mta.org/maildrop/ ) from my user's
~/.mailfilter file, but you can also use it with procmail
or any other local delivery agent.  Maybe it can also
called from the MTA, but I haven't tried that.

Here's the script:

    #!/usr/bin/env python
    
    import re, socket, sys
    
    ip_blacklist = (      # These are just examples!
            "1.2.3.4", "33.55.77.99", "100.50.200.5",
            "221.221.147.254", "211.233.178.123"
    )
    
    url_regexpr = r"http://([-.a-z0-9]+\.[a-z]{2,})"
    
    verbose = False
    
    regex = re.compile(url_regexpr, re.I | re.M)
    black = dict(zip(ip_blacklist, range(len(ip_blacklist))))
    
    for match in regex.finditer(sys.stdin.read()):
            name = match.group(1)
            try:
                    ip = socket.gethostbyname(name)
                    if verbose:
                            print name, "-->", ip
                    if ip in black:
                            sys.exit (1)
            except socket.gaierror:
                    if verbose:
                            print name, "DOES NOT RESOLVE"
    
    sys.exit (0)

It could certainly be improved, e.g. by reading the list
of IP addresses from a file, or by reading more than just
one mail message.  Also note that it only handles plain
test mails, it doesn't handle quoted-printable, base64
encodings etc.  It also depends on the local nameserver's
caching, so it doesn't do its own caching (which could
easily be implemented).

Best regards
   Oliver

-- 
Oliver Fromme,  secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing
Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd
Any opinions expressed in this message may be personal to the author
and may not necessarily reflect the opinions of secnetix in any way.

"That's what I love about GUIs: They make simple tasks easier,
and complex tasks impossible."
        -- John William Chambless