Page 1 of 1

(how-to) enghange greylist power

Posted: 09 Apr 2019 09:12
by nicola.piazzi
This script is very fast and can be put in crontab -e with a single line like this
* * * * * /batch/greyspam.sh

Put it into batch folder, every minute it take classc of last minute spam and remove it from sqlgrey awl so spammers must redo greylist process
It remove line only if no ham found from that classc in recently hours




# greyspam.sh
# -----------
#
# This script is useful to remove awl records from greylist of servers that made spam recently
# so they need to redo greylist process
# SQLgrey must be configured as classc
# Put in crontab a line like this to run every 1 minute
# * * * * * /batch/greyspam.sh

# Parameters
ROOTPWD=$(grep MYSQLROOTPWD /etc/EFA-Config | sed 's/.*://')
VSCORESPAM=10 # Search for IP that have more than VSCORESPAM score
VMINSPAM=1 # In the last VMINSPAM minutes
VSCOREHAM=6 # But exclude if the ip sent message that have less than VSCOREHAM
VMINHAM=600 # In the last VMINHAM minutes
VLOGFILE=/batch/greyspam.log # Logfile

# Date & Time
NOW=$(date +"%m-%d-%Y %r")
start=`date +%s.%N`

# Touching log file
touch $VLOGFILE

# Main selection query from table mailscanner get recent spam
S1="SELECT clientip \
FROM mailscanner.maillog \
WHERE timestamp > DATE_SUB(now(), INTERVAL $VMINSPAM MINUTE) \
AND spamwhitelisted = 0 \
AND clientip NOT LIKE '10.%' \
AND clientip NOT LIKE '192.168.%' \
AND sascore > $VSCORESPAM \
GROUP BY clientip;"

f=0;ff=0
res1=($(mysql -N -u root -p${ROOTPWD} -e "${S1}"))
cnt=${#res1[@]}
for (( i=0 ; i<${cnt} ; i++ ))
do
ipspam=${res1}
ipclassc=${ipspam%.*}
#echo ""; echo "Found line " $i " Ip: " $ipspam " Classc: " $ipclassc
# Find if this classc made some ham recent ham
S2="SELECT clientip \
FROM mailscanner.maillog \
WHERE timestamp > DATE_SUB(now(), INTERVAL $VMINHAM MINUTE) \
AND clientip LIKE '$ipclassc%' \
AND sascore < $VSCOREHAM \
GROUP BY clientip;"
res2=$(mysql -N -u root -p$ROOTPWD -se "$S2")
let "f++"
if [[ $res2 == "" ]] ; then
let "ff++"
echo "Not found ham so remove SQLgrey classc $ipclassc from SQLGrey awl" >> $VLOGFILE
S3="DELETE \
FROM sqlgrey.domain_awl \
WHERE src = '$ipclassc'";
res3=$(mysql -N -u root -p$ROOTPWD -se "$S3")
S4="DELETE \
FROM sqlgrey.from_awl \
WHERE src = '$ipclassc'";
res4=$(mysql -N -u root -p$ROOTPWD -se "$S4")
fi
done


# Logging
end=`date +%s.%N`
runtime="$(bc <<<"$end-$start")"
echo "$NOW $f spam ip in last $VMINSPAM minute, $ff with no ham in last $VMINHAM removed from SQLGrey awl , time elapsed: $runtime sec." >> $VLOGFILE

# Truncating logfile
tail -n 500 $VLOGFILE > $VLOGFILE.tmp
mv $VLOGFILE.tmp $VLOGFILE

Re: (how-to) enghange greylist power

Posted: 22 Nov 2019 07:13
by pdwalker
Moderators: I think we need a pinned post with a link to everyone of Nicola's enhancements.

Re: (how-to) enghange greylist power

Posted: 17 Apr 2020 03:02
by smyers119
Just wanted to post the updated script that will work with eFa 4.0.2.

You'll need to install bc

Code: Select all

sudo yum install bc

Code: Select all

# greyspam.sh
# -----------
# Original Code by eFa forum user nicola.piazzi
# This script is useful to remove awl records from greylist of servers that made spam recently
# so they need to redo greylist process
# SQLgrey must be configured as classc
# Put in crontab a line like this to run every 1 minute
# * * * * * /batch/greyspam.sh

# Parameters
ROOTPWD=$(grep MYSQLROOTPWD /etc/eFa/MySQL-Config | sed 's/.*://')
VSCORESPAM=10 # Search for IP that have more than VSCORESPAM score
VMINSPAM=1 # In the last VMINSPAM minutes
VSCOREHAM=6 # But exclude if the ip sent message that have less than VSCOREHAM
VMINHAM=600 # In the last VMINHAM minutes
VLOGFILE=/var/log/greyspam.log # Logfile

# Date & Time
NOW=$(date +"%m-%d-%Y %r")
start=`date +%s.%N`

# Touching log file
touch $VLOGFILE

# Main selection query from table mailscanner get recent spam
S1="SELECT clientip \
FROM mailscanner.maillog \
WHERE timestamp > DATE_SUB(now(), INTERVAL $VMINSPAM MINUTE) \
AND spamwhitelisted = 0 \
AND clientip NOT LIKE '10.%' \
AND clientip NOT LIKE '192.168.%' \
AND sascore > $VSCORESPAM \
GROUP BY clientip;"

f=0;ff=0
res1=($(mysql -N -u root -p${ROOTPWD} -e "${S1}"))
cnt=${#res1[@]}
for (( i=0 ; i<${cnt} ; i++ ))
do
ipspam=${res1}
ipclassc=${ipspam%.*}
#echo ""; echo "Found line " $i " Ip: " $ipspam " Classc: " $ipclassc
# Find if this classc made some ham recent ham
S2="SELECT clientip \
FROM mailscanner.maillog \
WHERE timestamp > DATE_SUB(now(), INTERVAL $VMINHAM MINUTE) \
AND clientip LIKE '$ipclassc%' \
AND sascore < $VSCOREHAM \
GROUP BY clientip;"
res2=$(mysql -N -u root -p$ROOTPWD -se "$S2")
let "f++"
if [[ $res2 == "" ]] ; then
let "ff++"
echo "Not found ham so remove SQLgrey classc $ipclassc from SQLGrey awl" >> $VLOGFILE
S3="DELETE \
FROM sqlgrey.domain_awl \
WHERE src = '$ipclassc'";
res3=$(mysql -N -u root -p$ROOTPWD -se "$S3")
S4="DELETE \
FROM sqlgrey.from_awl \
WHERE src = '$ipclassc'";
res4=$(mysql -N -u root -p$ROOTPWD -se "$S4")
fi
done


# Logging
end=`date +%s.%N`
runtime="$(bc <<<"$end-$start")"
echo "$NOW $f spam ip in last $VMINSPAM minute, $ff with no ham in last $VMINHAM removed from SQLGrey awl , time elapsed: $runtime sec." >> $VLOGFILE

# Truncating logfile
tail -n 500 $VLOGFILE > $VLOGFILE.tmp
mv $VLOGFILE.tmp $VLOGFILE
I put the file in /etc/eFa/ and ran with crontab.