NAME

Mail::SpamAssassin::Contrib::Plugin::IPFilter - Blocks bad MTA behavior using IPTables.

VERSION

version 1.2

SYNOPSIS

To try this out, add this or uncomment this line in init.pre:

LoadPlugin    Mail::SpamAssassin::Contrib::Plugin::IPFilter

Configuration defaults

iptables_support 6
iptables_bin $PATH/iptables
ip6tables_bin $PATH/ip6tables
filter_name spamipfilter
db_type	redis
db_host 127.0.0.1
db_port 6387
db_user	 ''
db_auth	 ''
db_name spamipfilter
trigger_score 6
trigger_messages 3
trigger_sensitivity 4
average_score_for_rule 7
expire_rule_seconds 172800
seconds_between_messages 30
seconds_to_decay_penalty 300
expires_multiplier_penalty 1.5
cache_decay_days 60
blacklist_score 30
common_hosts gmail.com, google.com, yahoo.com, hotmail.com, live.com
admin_email ''
admin_message Your message to $recipient from $email was blocked and
	your IP address $ip blacklisted due to excessive unsolicited
	bulk email. To reinstate your ability to send email to $recipient,
	please reply to $admin using a different off-network email,
	including the body of this message, with a request for reinstatement.
log_dir /var/log
verbose 0
lang en

DESCRIPTION

Mail::SpamAssassin::Contrib::Plugin::IPFilter blacklists unsolicited bulk email senders using IPTables. It will blacklist the sender IP using the smallest network possible, up to /24, when UCE originates from multiple hosts on the same network. Depending on the diversity and frequency of spam received on a server, it may take a couple of days to become effective. Thereafter, the cache state will decay to prevent spammers from burning IP blocks.

Responsible, well-known email hosts (common_hosts) are given special treatment to avoid blacklisting their networks and the score is increased for external filtering of UCE originating from those hosts. The plugin may be configured to email the blacklisted sender a warning for remediation.

A crontab entry is created for maintenance. IPV6 support is experimental. Future versions may include a collaborative blacklist.

NAME

Mail::SpamAssassin::Contrib::Plugin::IPFilter - Blocks bad MTA behavior using IPTables.

The following options may be used in site-wide (local.cf) configuration files to customize operation, and must be prefixed by ipfilter_:

filter_name
The name of the chain that Mail::SpamAssassin::Contrib::Plugin::IPFilter will create to block spammers. [a-zA-Z0-9_.]

iptables_support
iptables support. 0 = disable iptables. 4 = support ipv4 only. 6 = support ipv4 and ipv6.

iptables_bin
The path to the iptables binary on your system.

ip6tables_bin
The path to the ip6tables binary on your system.

db_type
The type of storage to use (mysql/redis).

db_host
The IPv4 address of your database server.

db_port
The port that the database server is listening on.

db_user
The database user, if applicable.

db_auth
The database password, if applicable.

db_name
The database name (mysql) or the prefix for keys (redis) created and used by Mail::SpamAssassin::Contrib::Plugin::IPFilter. ^[a-zA-Z0-9_.]$

log_dir
The directory to use for apache style logs reflecting spam messages for export to analytics. Informational messages are still logged via SpamAssassin.

average_score_for_rule
The average spam score for a host required to trigger a rule after trigger_messages.

seconds_between_messages
After how long should messages with the same envelope to/from be considered.

cache_decay_days
After how long will entries in the cache decay, assuming no spam messages are seen. Note that the cache will decay according to: cumulative_spam_score_for_host * exp(-3*lastspam_delta/cache_decay_secs)

expire_rule_seconds
After how long will a block rule expire.

expires_multiplier_penalty
A factor used to penalize hosts with longer rule expiration based on the spam of score of the message resulting in a rule, relative to the average spam score required to set the rule.

seconds_to_decay_penalty
A frequency indicator used to tune penalization for a given host based on how many spam messages were seen for that host over a time period.

trigger_score
The score for which Mail::SpamAssassin::Contrib::Plugin::IPFilter will process a spam message. This should be greater than the SpamAssassin required_score.

trigger_messages
The minimum number of spam messages from a given host before a rule is triggered.

trigger_sensitivity
A quantity used to tune penalization for a given host based on how many spam messages were seen for that host.

common_hosts
Hosts which should not be blacklisted via IPTables rule, and fall back to SpamAssassin blacklist.

blacklist_score
A score to add to message headers of blacklisted senders originating from common_hosts.

admin_email
The email address to send blacklist warnings from. If left unconfigured, no warnings will be sent.

admin_message
The warning message that will be sent. Parameters $user, $domain, $ip, $email, $recipient and $admin may be used for templatization.

whitelist
Any email address or ip address to whitelist. Email addresses may be specified as foo@example.com or just @example.com to match the whole domain, and IPs may be specified as 1.2.3.4 or just 1.2.3. to match the class C address space.

verbose
Log additional information via Mail::SpamAssassin::Logger

COPYRIGHT

Copyright © 2016 - Tamer Rizk, Inficron Inc.

This is free, open source software, licensed under the Revised BSD License. Please feel free to use and distribute it accordingly.

AUTHOR

Tamer Rizk <foss@inficron.com>

COPYRIGHT AND LICENSE

This software is Copyright (c) 2016 by Tamer Rizk.

This is free software, licensed under:

The (three-clause) BSD License