Stories
Slash Boxes
Comments
NOTE: use Perl; is on undef hiatus. You can read content, but you can't post it. More info will be forthcoming forthcomingly.

All the Perl that's Practical to Extract and Report

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
 Full
 Abbreviated
 Hidden
More | Login | Reply
Loading... please wait.
  • Ah, yes, I should have been more careful with my numbers. And language. Hundreds of thousands of IPs have been banned but not by that script and thus not in that output; they were banned by another script that (guess what) hit ARIN and blocked the entire netblock. I don't want to do this too hastily (in other words, I don't wnat to do this automatically) so the automatic script is doing /32's. Since there is some interest in passing from someone (even if that interest is just stimulating a clarification), h
    • Okay, the code tags didn't do what I wanted... let's try pre! #!/usr/bin/perl use bigint; my $count = 0; while(my $ip = ) { chomp $ip; my $mask; ($ip, $mask) = $ip =~ m{block in (?:proto tcp )?quick from ([0-9.]+)/([0-9]+) to any} or print "can't parse: $ip\n"; next unless $ip and $mask; my $numhosts = 1 And then... #!/usr/bin/perl use IO::Handle; use POSIX; # process all bans for the recently passed out (10 minutes ago) my $timestamp = strftime "%b %e %H:", localtime(time() - 600); # eg, "Oct 7 02:" my $recv; my $count = 0; open my $spam, ' 10000*80) { # if longer than about 10,000 "lines", seek relative the end print "Seeking relative the end - long file\n"; seek $spam, - 10000*80, 2; ; } while(my $log = ) { last if $timestamp eq substr $log, 0, length $timestamp; } while(my $log = ) { # Aug 30 11:09:35 straylight postfix/smtpd[17179]: NOQUEUE: reject: RCPT frommail.marvelconsultants.com[66.94.77.249]: 450 : Recipient address rejected: User unknown in local recipient table; from=to= proto=ESMTP helo= next unless $log =~ m/User unknown in local recipient table/; (my $rechost, my $recip) = $log =~ m/reject: RCPT from ([a-z0-9.-]+)\[([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\]/i; next unless $recip; $spammers{$recip}->[0]++; $spammers{$recip}->[1] ||= $rechost; $spammers{$recip}->[2] ||= $recip; $count++; } print("processed $count messages\n"); my @spammers = sort { $b->[0] $a->[0] } values %spammers; foreach my $spammer (@spammers) { last if $spammer->[0] print(sprintf "block in quick proto tcp from %s/32 to any port = 25 # %d: %s\n" , $spammer->[2], $spammer->[0], $spammer->[1]); $pipe->flush; $pipe->close; printf("block in quick proto tcp from %s/32 to any port = 25 # %d: %s\n", $spammer->[2], $spammer->[0], $spammer->[1]); } Also also, I should mention I have an ulterior motive: I have a concept I'm playing with for pre-emptive blacklisting based on the idea of aggregates, sort of like Google sets, or "people who bought that also bought these". I posted, for Phoenix Perl Mongers as part of a presentation when in conjunction to spam filtering a list of the top spammers, and a Google brings in a lot of hits - a suprising number of hits - for this document. Sysadmins search for their own domains reportedly; people fix open relays then seek to have them removed from blacklists; etc. I had another idea - what if I Google for the IP of a known spam source and then suck down every hit, tally up occurances of other IPs in all of those documents, and then assume that other IPs that tend to appear in proximity to the spammers are also spammers? Viola, instantly distributed mail-abuse.org style black hole! People need only run some stats, however they see fit, on spammers spamming their domains, and other people (or the same people) can suck this down, process it, and use it. I'll play with quotations the same way - Google for an exact quote to see what other people who like that quote have in their quote collections. So, to this end, I just wanted to generate some juice for my updated, automatically generated list >=)

      -scott
      • Okay, the code tags didn't do what I wanted... let's try pre!

        Yuck! Don't people have a "preview" button any more? Or read the help text under the textarea, when entering their post?

        Try "<ecode>", it'll preserve your formatting.