Using spamd in greylisting mode, I’m running greyscanner to pick off some low-hanging fruit (senders with no A or MX). But I also have an old domain that isn’t used for production any more, and it gets tons of spam. Here’s how I used that to my advantage.
greyscanner has the nice option of allowing you to specified regexes to match for trapping bad email addresses. So, if IP address a.b.c.d attempted mailing fakebox@example.com, you can trap a.b.c.d for 24 hours, and it won’t talk to your real mail servers. Note that at this point, greyscanner is a prototype by Bob Beck, but it’s working quite fine.
So, I have a domain example.com that only has a few valid email addresses (abuse, postmaster, oneguy, etc.,). Anyone sending to any other @example.com address is virtually guaranteed to be a spammer.
Initially, I thought it would be easy in Perl to negate a portion of a regex. For example: Match a string ending in “@example.com” but NOT matching (a|b|c)@example.com.
You can do this on an individual basis, using negative lookbehinds:
(?<!abuse)\@example\.com\$
(?<!postmaster)\@example\.com\$
(?<!lonesurvivingemployee)\@example\.com\$
But doesn’t work with variable-length matches. That is, you can’t do:
(?<!(abuse|postmaster)\@example\.com\$
Or you’ll get:
ERROR:
Variable length lookbehind not implemented in regex; marked by <-- HERE in m/(?<!(abuse|postmaster))\@example\.com <-- HERE /at ./back.pl line 3.
Since that wouldn’t work, I decides to just use the greyscanner $EXTERNAL_ADDRESS_CHECKER callout, since this is exactly what it’s for. All we need to do is have a file that checks ARGV[0] (not STDIN! or you’ll waste an hour trying to figure out why it’s not working, Doh!). If you want to trap the address, exit with a status of 1 (or any non-zero number). If the address is OK, exit 0. Quite handy.
Here’s a simple way to check domains:
# /var/spamd/greytrap_checkrcpt#!/usr/bin/perl
use strict;
use warnings;
my $rcpt=$ARGV[0];# EXAMPLE.COM
# trap all @example.com email NOT to abuse, hostmaster, postmaster, and lonesurvivingemployee
if ($rcpt =~ /\@example\.com$/i) {
if ($rcpt =~ /^(abuse|hostmaster|postmaster|lonesurvivingemployee)\@example\.com$/i) {
exit 0;
} else {
exit 1;
}
}# EXAMPLE.EDU
# trap all @example.edu mail to fake addresses littered in your public webpages
if ($rcpt =~ /\@example\.edu$/i) {
if ($rcpt =~ /^(webfodder|webmudder|websisser)\@example\.edu$/i) {
exit 1;
} else {
exit 0;
}
}
And pretty soon, you’ll be trapping connections….
Jan 30 23:03:59 boss greytrapper[2917]: Trapped 61.14.196.222: Mailed to trap address art@example.com
Jan 30 23:04:51 boss greytrapper[2917]: Trapped 85.138.227.227: Mailed to trap address heather@example.com
Jan 30 23:05:08 boss greytrapper[2917]: Trapped 221.239.52.3: Mailed to trap address hunt@example.com
Sorry, the comment form is closed at this time.