Skip to content

Instantly share code, notes, and snippets.

@0x9900

0x9900/spamtrap.sh

Last active August 29, 2015 14:13
Show Gist options
  • Save 0x9900/fba53305f312b6ec131a to your computer and use it in GitHub Desktop.
Save 0x9900/fba53305f312b6ec131a to your computer and use it in GitHub Desktop.
Download ZIP
Check spamdb whitelisted addresses agains RBLs.
Raw
spamtrap.sh
#!/usr/local/bin/bash
#
# (c) Sometime in 2015 by Fred C. @0x9900
#
# Checks whitelisted IPs in spamdb and if they are known by any of the
# follwing DNSBL lists, tag them as trapped. This script only check
# the IP addresses whitelisted since the last run. Therefore the date
# of the last run is stored in a file called /tmp/spamtrap.status.
#
# - abuseat.org
# - barracudacentral.org
# - spamcop.net
# - spamhaus.org
#
# Since spamdb has to be run by root you can add the follwing line in
# your `/etc/sudoer' file.
#
# userid ALL=(ALL) NOPASSWD: /usr/sbin/spamdb -t -a
#
# I run this script hourly in cron.
#
set -o nounset
declare -a RBL_LST=( "junkemailfilter" "spamhaus" "spamcop" "barracudacentral" "abuseat" )
# shuffling the list to not allways hit the same RBL at each run
declare -a RBL_LST=$(echo ${RBL_LST[@]} | awk 'BEGIN {RS=" "} {print rand()"\t"$1}' | sort | cut -f2)
STATUS_FILE="/tmp/spamtrap.status"
BLACKLIST_IP="sudo spamdb -t -a "
WHITELIST_IP="sudo spamdb -a "
TEMPLATE="${0##*/}.XXXXXXXXX"
TMPFILE=$(mktemp -t ${TEMPLATE}) || exit 1
# check if the status file Exists.
if [[ ! -s $STATUS_FILE ]]; then
echo "${STATUS_FILE} not found creating it"
echo $(date +%s) > ${STATUS_FILE}
echo "Run that program again later."
exit 0
fi
LAST_RUN=$(< ${STATUS_FILE})
echo "Last run was at: " $(date -r ${LAST_RUN})
cleanup() {
rm -f ${TMPFILE}
exit 0
}
trap "cleanup" EXIT INT TERM
junkemailfilter() {
# hostkarma.junkemailfilter.com
# This site can return several informations like whitelist,
# blacklist, yellowlist for example. Here we are interested by
# blacklist and whitelist.
local revip=${1}
local response=$(dig +short ${revip}.hostkarma.junkemailfilter.com)
if echo $response | grep -q '127\.0\.0\.1'; then
return 2 # whitelist
fi
if echo $response | grep -q '127\.0\.0\.2'; then
return 1 # spammer
fi
return 0
}
spamhaus() {
# zen.spamhaus.org
local revip=${1}
local response=$(dig +short ${revip}.zen.spamhaus.org)
echo $response | grep -q '127\.0\.0'
return $(( ! $? )) # (0) not found (1) spammer
}
spamcop() {
# bl.spamcop.net
local revip=${1}
local response=$(dig +short ${revip}.bl.spamcop.net)
echo $response | grep -q '127\.0\.0\.2'
return $(( ! $? )) # (0) not found (1) spammer
}
barracudacentral() {
# b.barracudacentral.org
local revip=${1}
local response=$(dig +short ${revip}.b.barracudacentral.org)
echo $response | grep -q '127\.0\.0\.2'
return $(( ! $? )) # (0) not found (1) spammer
}
abuseat() {
# cbl.abuseat.org
local revip=${1}
local response=$(dig +short ${revip}.cbl.abuseat.org)
echo $response | grep -q '127\.0\.0\.2'
return $(( ! $? )) # (0) not found (1) spammer
}
# Search for new IP addresses inserted in spamdb since the last run
#
awk_program='
BEGIN {
FS="|"
}
/^WHITE|GREY/ {
if(($1 == "WHITE" && $5 > LR) ||
($1 == "GREY" && $6 > LR)) {
print $2
}
}'
spamdb | awk -v LR=${LAST_RUN} "$awk_program" | sort -n | uniq >${TMPFILE}
# Save the current run time
echo $(date +%s) > ${STATUS_FILE}
# Search if the ip addresses are flagged in one of the rbl servers
#
while read ip
do
found=0
revip=$(IFS=.; set -- $ip ; echo "${4}.${3}.${2}.${1}")
for rbl_function in ${RBL_LST[@]}; do
$rbl_function $revip
result=$?
if [[ $result == 1 ]]; then
echo "Blacklisted: $rbl_function $ip"
${BLACKLIST_IP} $ip
found=1
break
elif [[ $result == 2 ]]; then
echo "Whitelisted: $rbl_function $ip"
${WHITELIST_IP} $ip
found=1
break
fi
done
[[ $found == 0 ]] && echo "Not found $ip"
done < ${TMPFILE}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment