Module Version: 1.00 (20160330075010)      Latest Release: Mail-SpamAssassin-Contrib-Plugin-IPFilter-0.93

NAME

Mail::SpamAssassin::Contrib::Plugin::IPFilter - Blocks bad MTA behavior using IPTables.

SYNOPSIS

To try this out, add this or uncomment this line in init.pre:

LoadPlugin     Mail::SpamAssassin::Contrib::Plugin::IPFilter

Configuration defaults:

flock_bin $PATH/flock
iptables_bin $PATH/iptables
filter_name spamipfilter

db_type	redis
db_host 127.0.0.1
db_port 6387
db_user	 ''
db_auth	 ''
db_name sa_ipf

trigger_score 6
trigger_messages 3
trigger_sensitivity 4
average_score_for_rule 7
expire_rule_seconds 172800
seconds_to_decay_penalty 300
expires_multiplier_penalty 1.5
cache_decay_days 60

log_dir /var/log
common_hosts gmail.com, google.com, yahoo.com, hotmail.com, live.com
admin_email ''
admin_message Your message to $recipient from $email was blocked and
  your IP address $ip blacklisted due to excessive unsolicited bulk
  email. To reinstate your ability to send email to $recipient please 
  reply to $admin using a different off-network email, including the 
  body of this message, with a request for reinstatement.
verbose 0

DESCRIPTION

Mail::SpamAssassin::Contrib::Plugin::IPFilter blacklists unsolicited bulk email senders using IPTables. It will blacklist the sender IP using the smallest network possible, up to /24, when UCE originates from multiple hosts on the same network. Depending on the diversity and frequency of spam received on a server, it may take a couple of days to become effective. Thereafter, the cache state will decay to prevent spammers from burning IP blocks.

Responsible, well-known email hosts (common_hosts) are given special treatment to avoid blacklisting their networks. UCE originating from common_hosts is blacklisted on a per sender basis using SpamAssassin's AWL. The plugin may be configured to email the blacklisted sender a warning for remediation.

An entry is created in /etc/cron.d/ for required maintenence. IPV6 support is experimental. Future versions may include a database shared by nodes participating in a system similar to a decaying blockchain.

PREFERENCES

The following options may be used in site-wide (local.cf) configuration files to customize operation, and must be prefixed by ipfilter_:

filter_name
The name of the chain that Mail::SpamAssassin::Contrib::Plugin::IPFilter will create to block spammers. This will also be used as the file name in /etc/cron.d/. [a-zA-Z0-9_.]

iptables_bin
The path to the iptables binary on your system.

iptables_bin
The path to the flock binary on your system, if available.

db_type
The type of storage to use (mysql/redis).

db_host
The IPv4 address of your database server.

db_port
The port that the database server is listening on.

db_user
The database user, if applicable.

db_auth
The database password, if applicable.

db_name
The database name (mysql) or the prefix for keys (redis) created and used by Mail::SpamAssassin::Contrib::Plugin::IPFilter. ^[a-zA-Z0-9_.]$

log_dir
The directory to use for apache style logs reflecting spam messages for export to analytics. Informational messages are still logged via SpamAssassin.

average_score_for_rule
The average spam score for a host required to trigger a rule after trigger_messages.

cache_decay_days
After how long will entries in the cache decay, assuming no spam messages are seen. Note that the cache will decay according to: cumulative_spam_score_for_host * exp(-3*lastspam_delta/cache_decay_secs)

expire_rule_seconds
After how long will a block rule expire.

expires_multiplier_penalty
A factor used to penalize hosts with longer rule expiration based on the spam of score of the message resulting in a rule, relative to the average spam score required to set the rule.

seconds_to_decay_penalty
A frequency indicator used to tune penalization for a given host based on how many spam messages were seen for that host over a time period.

trigger_score
The score for which Mail::SpamAssassin::Contrib::Plugin::IPFilter will process a spam message. This should be greater than the SpamAssassin required_score.

trigger_messages
The minimum number of spam messages from a given host before a rule is triggered.

trigger_sensitivity
A quantity used to tune penalization for a given host based on how many spam messages were seen for that host.

common_hosts
Hosts which should not be blacklisted via IPTables rule, and fall back to SpamAssassin blacklist.

admin_email
The email address to send blacklist warnings from. If left unconfigured, no warnings will be sent.

admin_message
The warning message that will be sent. Paramaters $user, $domain, $ip, $email, $recipient and $admin may be used for templatization.

whitelist
Any email address or ip address to whitelist. Email addresses may be specified as foo@example.com or just @example.com to match the whole domain, and IPs may be specified as 1.2.3.4 or just 1.2.3. to match the class C address space.

verbose
Log additional information via Mail::SpamAssassin::Logger

AUTHOR

© 2016 Tamer Rizk, Inficron Inc. All rights reserved.
This package is free software, distributed under the New BSD License.