GeoMailSearch

From Coolscript
Jump to navigation Jump to search

About

GeoMailSearch is a plugin for Spamassassin, build on Maxmind,it can block mail sender by ip,
ranges of ip, countries or ASN and even geo data by latitude and longtiude.
GeoMailSearch is build on the SA skeleton
GeoMailSearch is written in Perl and runs on Linux.

With GeoMailSearch you can:

  • Score for the email sender country
    • Optional Score for the sender time (Office Hour)

Advanced:

  • Score the email sender country (Array)
    • Optional Score the sender time (Office Hour)
  • Score the email ASN provider (Array)
    • Optional Score the ASN provider (Office Hour)
  • Score the email server Latitude/Longitude and define a radius around it (Array)
    • Optional Score the server Latitude/Longitude (Office Hour)



Requirements (Dependency Tree)

  • Linux
    • mySQL
    • Perl
    • Sendmail (or another, similar and functioning MTA)
      • Spamassassin
        • GeoMailSearch
          • Maxmind GeoIP Database


Installation

Files

Please get GeoMailSearch.pm (download link below) and copy it to the Perl/Spamassassin Plugin Directory, depending on your Linux distribution this might be:

/usr/share/perl5/Mail/SpamAssassin/Plugin/

then check the permissions and give it a try by looking for error mesages , there should be none when running:

root@myhost ~ # /usr/share/perl5/Mail/SpamAssassin/Plugin/GeoMailSearch.pl

Modules

It might be required to install some more perl modules. In case, this is the list of modules being used:

use strict;
package Mail::SpamAssassin::Plugin::GeoMailSearch;
use Mail::SpamAssassin::Plugin;
use Mail::SpamAssassin::Conf::Parser;
use POSIX;	
use DBI;
use HTTP::Date qw/str2time/;
use Math::Trig qw(deg2rad pi great_circle_distance);
use Net::Syslog;

SQL

This Plugin requires the geoip database on a mysql server, to load you may first create the database and then assign a user next.

Please use the template geoip.sql from the download archive and run it with mysql.
Create database:

mysql -u myuser -p < geoip.sql

Then create the user, for example geouser:

mysql -u myuser -p 
GRANT ALL PRIVILEGES ON geoip.* TO 'geouser'@'localhost' IDENTIFIED BY 'mypassword' WITH GRANT OPTION;

Note
There will be two places where the above account credentials are needed.
Sample:

  • /etc/spamassassin/yourconfig
  • /mypath/gms-loader.xml

Configuration

Basic

Spamassassin sample /etc/spamassassin/local.cf

Initialization

  • Initialization:
loadplugin     Mail::SpamAssassin::Plugin::GeoMailSearch
header         GeoMailSearch eval:check_geomailsearch()

Database Conection

  • Database connection
geomailsearch_sql_database geoip
geomailsearch_sql_server   127.0.0.1
geomailsearch_sql_user     username
geomailsearch_sql_pwd      pax-s-w-0r-d

Log Level

Log level sample:

geomailsearch_syslog    1

Available levels:

  • Level 0: No syslog
  • Level 1: Full
  • Level 2: Analyze

Basic Settings

Basic Country Settings

geomailsearch_score  1.0
geomailsearch_non_office_hours 20:00-07:00
geomailsearch_non_business_day 1 
geomailsearch_block_country  X1:X2:X3



Description:

local.cf
Name Required Value
geomailsearch_score Yes Scoring values for spamassassin
geomailsearch_non_office_hours Optional TimeDiff, hh:mm-hh:mm
The time range of the NON office hour
Sample hours between 18:00 until the next day 08:00
18:00-08:00
geomailsearch_non_business_day Optional Non business days (weekend)
If this value is set to 1 then the non office hours
gets overrules if the day is saturday or sunday.
geomailsearch_block_country Yes Array list of country codes separated by column
Sample for a single country code:
X1
Sample for a array of countries:
X1:X2:X3



Advanced

Advanced Country Score

Advanced Country Block works as array, each set of element is separated by a pipe .
Sample for 3 elements of rules:

geomailsearch_advanced_score_country X1:X2,0.5,20:00-07:00|X3:X4,0.6,19:00-20:00|X5,0.7

The above sample has 3 rules:

  • Rule1: X1:X2,0.5,20:00-07:00
  • Rule2: X3:X4,0.6,19:00-20:00
  • Rule3: X5,0.7


Each rule has 2 or 3 elements, first the country array, then the score and last a optional non office hour time range.

  • Element1: Counry code, separated by column
  • Element2: Score
  • Element3: Optional non office hour time range

The above sample has the following effective rules:

local.cf
Country Score Non office hour time range
X1 0.5 20:00-07:00
X2 0.5 20:00-07:00
X3 0.6 19:00-20:00
X4 0.6 19:00-20:00
X5 0.7 None


Advanced ASN Score

Advanced ASN Block works as array, each set of element is separated by a pipe .
Sample for 3 elements of rules:

geomailsearch_advanced_score_asn  AS0000:AS0001,0.5,18:00-08:00|AS0003:AS0004,0.6,19:00-08:00|AS0005,0.7


The above sample has 3 rules:

  • Rule1: AS0001:AS0002,0.5,18:00-08:00
  • Rule2: AS0003:AS0004,0.6,19:00-08:00
  • Rule3: AS0005,0.7


Each rule has 2 or 3 elements, first the asn array, then the score and last a optional non office hour time range.

  • Element1: AS Number, separated by column
  • Element2: Score
  • Element3: Optional non office hour time range

The above sample has the following effective rules:

local.cf
AS Number Score Non office hour time range
AS0001 0.5 18:00-08:00
AS0002 0.5 18:00-08:00
AS0003 0.6 19:00-08:00
AS0004 0.6 19:00-08:00
AS0005 0.7 None

Advanced GEO Score

Advanced GEO Block works as array, each set of element is separated by a pipe .
Sample for 2 elements of rules:

geomailsearch_radius_score 90.0,0.01,200,0.5,18:00-23:00|-90.0,0.01,300,0.6


The above sample has 2 rules:

  • Rule1: 90.0,0.01,200,0.5,18:00-23:00
  • Rule2: -90.0,0.01,300,0.6


Each rule has 4 or 5 elements, first the geo data (latitude/longitude) array, then the search radius followed by the score and last a optional non office hour time range.

  • Element1: Latitude
  • Element2: Longitude
  • Element4: Radius (KM)
  • Element4: Score
  • Element5: Optional non office hour range

The above sample has the following effective rules:

local.cf
Latitude Longitude Radius Score Optional non office hour range Info
90.0 0.01 200 0.5 18:00-08:00 This is the South Pole :-)
-90.0 0.01 300 0.6 None This is the North Pole :-)

Configure Syslog

If you use syslog then please make sure your rsyslog daemon has udp logging enabled on 127.0.0.1

  • /etc/rsyslog.conf
$ModLoad imudp
$UDPServerRun 514

GMS-LOADER

The GeoMailSearch loader takes care of downloading the recent maxmind database, it alos insert the data into the mysql server.
The GMS loader is using a xml configuration file for the settings.

Sample

<?xml version="1.0"?>
<CONFIG>
<HTTP_Maintain
 IPLIST="1"
 ASNLIST="1"
 CITYLIST="0"
 />   
 <HTTP_Download
  IPLIST="http://geolite.maxmind.com/download/geoip/database/GeoLiteCity_CSV/GeoLiteCity-latest.zip"
  ASNLIST="http://download.maxmind.com/download/geoip/database/asnum/GeoIPASNum2.zip"
  CITYLIST="http://download.maxmind.com/download/worldcities/worldcitiespop.txt.gz"
 />   
 <GeoDatabase
	Database = "geoip"
	Server = "localhost"
	Username = "geouser"
	Password = "xxxx"
 />
 <System
	SyslogIP="127.0.0.1"
	DeleteTempDataOnStartup="1"
	DeleteTempDataOnExit="1"
 />
</CONFIG>


HTTP_Maintain
Attribute Value Description
IPLIST Boolean Download and maintain the ip list
ASNLIST Boolean Download and maintain the ASN list
CITYLIST Boolean Download and maintain the City list

Note Downloading the City List is nthat much often required, maybe once a year.

HTTP_Download
Attribute Value Description
IPLIST Boolean URL to the list
ASNLIST Boolean URL to the list
CITYLIST Boolean URL to the list


GeoDatabase
Attribute Description
Database mysql database
Server mysql server name
Username mysql username
Password mysql password


System
Attribute Description
SyslogIP ip address of your syslog server, leave empty to disable
DeleteTempDataOnStartup delete temporary download data at startup
DeleteTempDataOnExit delete temporary download data at startup




GMS-LOADER CRON

Cron sample:

#m  h dom  mon dow   command
 0  1 5    *   *     (cd /usr/local/gms-loader/; ./gms-loader.pl)



Download GMS


Download the script
Download