Re: [9fans] smtpd integration with spamhaus

[erik quanstrom <quanstro@quanstro.net>]

[-- Attachment #1: Type: text/plain, Size: 764 bytes --]

On Fri Sep 24 17:34:08 EDT 2010, 9nut@9netics.com wrote:
> oops!  wasn't finished yet.  i guess i'm getting the hang of "publish
> early and often"
>
> it should be easy, as my unfinished shell is showing.  i'm not sure if
> i understand the behavior of spammers function when the output is
> piped to another program.  any ideas?
>
> > has anyone noodled the idea? spamhaus provides a dns server that
> > that can identify if an ip address is a known spammer[1]. i was thinking
> > either directly in /sys/src/cmd/upas/smtp/spam.c or through a cs like
> > program (parsing binary in shell?)

this is what i did.  the spamhaus function is largely
stolen from steve.  he's got a lot of good stuff.

all the ugly bits are entirely my fault.

- erik

[-- Attachment #2: spamhaus --]
[-- Type: text/plain, Size: 742 bytes --]

#!/bin/rc
rfork en

sflag=0
if(~ $1 -s){
	sflag=1
	shift
}

rev=`{echo $1 | sed 's/([0-9]*)\.([0-9]*)\.([0-9]*)\.([0-9]*)/\4.\3.\2.\1/'}
#ans=`{ndb/dnsquery $rev^.zen.spamhaus.org>[2]/dev/null|sed -n 's:.*	(127\.0\.0\.[0-9]+):\1:p' }
ans=`{echo $rev^.zen.spamhaus.org | ndb/dnsquery >[2]/dev/null|sed -n 's:.*	(127\.0\.0\.[0-9]+):\1:p' }
msg=''
for(i in $ans){
	switch($i){
	case 127.0.0.2
		m = 'known spam source'
	case 127.0.0.4
		m = 'composite block list'
	case 127.0.0.5
		m = njabl
	case 127.0.0.10
		m = 'your isps policy'
	case 127.0.0.11
		m = 'sh policy'
	case *
		m = 'unknown reason'
	}
	if(~ $msg '')
		msg = $m
	if not
		msg = $msg^', '^$m
}
if(~ $sflag 0 && ! ~ $msg '')
	echo $msg
exit $msg

[-- Attachment #3: validatesender --]
[-- Type: text/plain, Size: 2453 bytes --]

#!/bin/rc
rfork en

# note the patterns in the exception lists are eval'd
# later, so wildcards may be quoted.
#
# force non-explicit matches to fail.  gmail specifies allowed hosts, but
# then says ?all, defeating all that work.  just fail jerks impersonating google.
spfescalate=(gmail.com)

# ignore spf mismatches from these domains
spfign=(*.bell-labs.com mac.com)

# these domains get a spamhaus pass
shign=(*terzarima.net)

# these people are special; give them a pass
# dom!addr style.
specialed=(yahoo.com!swardd)

# these particular senders are blacklisted
# motivated by the fact that yahoo calender
# is compromised.
dropuser=(reply.yahoo.com!calendar-invite comerrec.net!* ecoinfor.com!mail-bounces)

fn usage{
	echo 'usage: validatesender [-n /net] dom user [ip [hellodom]]' >[1=2]
	exit usage
}

fn checkspf{
	str=($h spf $*)
	spfflag=-v
	if(~ $1 $spfescalate)
		spfflag=$spfflag^e
	if(~ $#netroot 1)
		spfflag=($spfflag -n $netroot)
	upas/spf $spfflag $* >[2=1] | sed 's:^:'^$"str^' -> :g' >>$log
	spfstatus=$status
	spfstatus=`{echo $spfstatus | sed 's:\|.*::
		s/^spf [0-9]+://'}
	if(! ~ $#spfstatus 0 && ! ~ $"spfstatus *none){
		if(~ $spfstatus deferred:*)
			exit $"spfstatus
		if(! ~ $dom $2)
			exit 'rejected: '^$"spfstatus
	}
}

h=`{date -n} ^ ' ' ^ $sysname ^ ' ' ^ $pid
h=$"h
log=/sys/log/smtpd.mx	#/fd/2
if(! test -w $log)
	log = /dev/null
echo $h validatesender $* >>$log

netroot=/net.alt
if(~ $1 -n){
	shift
	netroot=$1
	shift
}
if(! ~ $#* [234])
	usage

dom=$1; addr=$2; ip=$3; helo=$4

if(eval ~ '$dom!$addr' $dropuser)
	exit 'member of dropuser list'

if(~ $dom^!^$addr $specialed)
	exit ''

if(! ~ $#ip 0 && test -x /mail/lib/spamhaus){
	spamhaus=`{/mail/lib/spamhaus $ip}
	if(! ~ $spamhaus '' && eval ! ~ '$dom' $shign){
		echo $h spamhaus '->' $spamhaus>>$log
		exit 'rejected: spamhaus: '^$"spamhaus
	}
	if(! ~ $spamhaus '')
		echo $h spamhaus '->' $spamhaus '(ignored)'>>$log
}

if(x=`{upas/smtp -p $netroot/tcp!$dom /dev/null $addr >[2=1] |
		tee >{sed 's/^/'$h' /' >> $log} |
		tail -1}){
	if(~ $#ip 0 || ! test -x /bin/upas/spf)
		exit ''
	if(eval ~ '$dom' $spfign)
		exit ''
	echo $h spf $dom $ip $addr $helo>>$log
	checkspf $dom $ip $addr $helo
	exit ''
}

smtpstatus=$status
if(~ $#x 0)
	x=$smtpstatus
if(~ $smtpstatus *'Permanent Failure'*)
	exit 'rejected: smtp ping: '^$"x
exit 'deferred: smtp ping: '^$"x