#!/usr/bin/perl # - Makes a Fifo called /var/adm/dnsbl.log # - reads from that Fifo all maillog entries # - when a dnsbl reject entry is spotted, # - it will email the various people affected. # - Config options also stored in a mysql table # # with version 1.3-3 of syslog you can add an entry in your /etc/syslog.conf # local0.info |/var/adm/popauther # which will cause all local0 syslog messages of priority info or greater to # be sent thru the fifo. # # Original popauth code from: William R. Thomas # This version is from: Harlan Stenn # This variation and purpose by Mark Reynolds use DBI; $fifo = "/var/adm/dnsbl.log"; $watcherlog = "/var/log/dnsbl.watcher.log"; $watcherpid = "/var/run/dnsbl.watcher.pid"; $hostfile = "/etc/HOSTNAME"; $firewalldir = "/var/spool/firewall/"; $db = "antispam"; $table1 = "rejections"; $table2 = "temporarily"; $server = "10.0.0.12"; $hostname = `cat $hostfile`; chomp($hostname); print "hostname is : $hostname \n"; $dot=index($hostname,"."); $servername = substr($hostname,0,$dot); print "servername : $servername \n" ; { while(1) { unless( -p $fifo) { unlink $fifo; system("mkfifo $fifo") && die "Can't mkfifo $fifo: $!"; chmod 0600, $fifo; } open(FIFO, "< $fifo") || die "Can't open $fifo: $!"; open(LOG,">>$watcherlog") || die("Can't open $watcherlog"); select(LOG); $| = 1; print LOG "\n"; print LOG &tstamp." Starting log for dnsbl.watcher at pid $$\n"; select(STDOUT); $| = 1; $SIG{'INT'} = 'exithandler'; $SIG{'QUIT'} = 'exithandler'; $SIG{'KILL'} = 'exithandler'; open(PID,">$watcherpidfile"); print PID "$$\n"; close(PID); while(1) { $rin = ""; vec($rin, fileno(FIFO), 1) = 1; add_new(); } close(LOG); } exit(1); } sub add_new { my $rebuild = 0; my $good = 0; $_ = ; chomp; if(/^([A-Za-z]+\s+\d+\s+\d+\:\d+\:\d+) $servername .+ruleset=check_rcpt, arg1=(<.+>), relay.+(\[.+\]).+ reject=571 5.7.1 ACCESS DENIED to (<.*>).+ (\/.+\/) .+$/) { print LOG "$hostname $1 $3 $2 $4 $5\n" ; $ip=$3; chop($ip); $ip=substr($ip,1); $firewallfile = "$firewalldir/$ip"; open(FWFD,">$firewallfile"); print FWFD "$_ \n"; close(FWFD); $datetime=&tstamp; $dbh = DBI->connect("DBI:mysql:$db:$server:3306", 'mysql', ''); # escape sql strings $sql_emailto = $dbh->quote($2); $sql_emailfrom = $dbh->quote($4); $sql="insert into $table1 (datetime, mailserver, sourceip, emailto, emailfrom, dnsbl) "; $sql = $sql . "values ('$datetime', '$hostname', '$3', $sql_emailto, $sql_emailfrom, '$5' ) "; $dbh->do($sql); # print "$sql \n"; $dbh->disconnect(); }; if(/^([A-Za-z]+\s+\d+\s+\d+\:\d+\:\d+) $servername .+ruleset=check_rcpt, arg1=(<.+>), relay.+(\[.+\]).+ reject=471 4.7.1 ACCESS TEMPORARILY DENIED to (<.*>).+ (\/.+\/) .+$/) { print LOG "$hostname $1 $3 $2 $4 $5\n" ; $ip=$3; chop($ip); $ip=substr($ip,1); $firewallfile = "$firewalldir/$ip"; open(FWFD,">$firewallfile"); print FWFD "$_ \n"; close(FWFD); $datetime=&tstamp; $dbh = DBI->connect("DBI:mysql:$db:$server:3306", 'mysql', ''); # escape sql strings $sql_emailto = $dbh->quote($2); $sql_emailfrom = $dbh->quote($4); $sql="insert into $table2 (datetime, mailserver, sourceip, emailto, emailfrom, dnsbl) "; $sql = $sql . "values ('$datetime', '$hostname', '$3', $sql_emailto, $sql_emailfrom, '$5' ) "; $dbh->do($sql); # print "$sql \n"; $dbh->disconnect(); }; return $rebuild; } sub tstamp { use POSIX qw(strftime); return POSIX::strftime("%Y-%m-%d %H:%M:%S", localtime(time)); } sub exithandler { local($sig) = @_; close(POPPER); close(LOG); exit(0); }