spamassassin Bogon IP addresses plugin
A recent bogon research projects has showed that almost 5% of all the SPAM email contain an bogon IP address in the headers.
To detect this, a plugin for spamassassin has been written. This plugin will scan emails for bogon IP addresses in the
"received from" headers. This will improve the spam detection when using spamassassin.
It can also be used to do further research regarding bogon ip addresses and spam.
Below is the source code for the spamassassin plugin. There are 2 files:
1. /etc/spamassassin/bogonreceivedline.cf
2. /etc/spamassassin/bogonreceivedline.pm
* the exact path maybe different depending on your spamassassin installation
This plugin is written by Bas Toonk (bas--at--toonk.nl) and Andree Toonk (andree--at--toonk.nl)
BOGONRECEIVEDLINE.CF
loadplugin BogonReceivedLine bogonreceivedline.pm
header BOGONRECEIVEDLINE eval:bogonreceivedline()
describe BOGONRECEIVEDLINE Check for begon ip header lines
tflags BOGONRECEIVEDLINE net
score BOGONRECEIVEDLINE 1
BOGONRECEIVEDLINE.PM
package BogonReceivedLine;
use strict;
use Mail::SpamAssassin;
use Mail::SpamAssassin::Plugin;
use Net::Netmask;
our @ISA = qw(Mail::SpamAssassin::Plugin);
sub new {
my ($class, $mailsa) = @_;
$class = ref($class) || $class;
my $self = $class->SUPER::new($mailsa);
bless ($self, $class);
$self->register_eval_rule("bogonreceivedline");
return $self;
}
sub bogonreceivedline {
my ($self, $permsgstatus) = @_;
my $hits = 0;
my $received = $permsgstatus->get("Received");
my @recs = split('\n',$received);
for (@recs) {
my $ip;
if ($_ =~ /.+\[(\d+\.\d+\.\d+\.\d+)\]\)/) {
$ip = $1;
if(defined(findNetblock($ip))) {
my $localhost = Net::Netmask->new("127.0.0.1");
if (!$localhost->match($ip)) {
#print STDERR "$ip\t" . findNetblock($ip) . "\n";
$hits = 1;
}
}
}
#print STDERR "ERROR: $_\n";
}
return 1 if $hits;
return 0;
}
my @prefixes;
# download http://www.cymru.com/Documents/bogon-bn-nonagg.txt
# make sure to remove RFC1918 space from the bogon list!!!
open(MYINPUTFILE, ") {
my($line) = $_;
chomp($line);
push(@prefixes, $line);
#$hash{$line};
}
close(MYINPUTFILE);
for my $b (@prefixes) {
my $x = new Net::Netmask ($b);
$x->storeNetblock();
}
1;