GeoMailSearch: Difference between revisions
|  (Created page with "=About= GeoMailSearch is a plugin for [http://spamassassin.apache.org/ Spamassassin], build on [http://www.maxmind.com/en/opensource Maxmind],it can block mail sender by ip,<b...") | 
| (No difference) | 
Revision as of 18:46, 14 February 2014
About
GeoMailSearch is a plugin for Spamassassin, build on Maxmind,it can block mail sender by ip,
ranges of ip, countries or ASN and even geo data by latitude and longtiude.
GeoMailSearch is build on the SA skeleton
GeoMailSearch is written in Perl and runs on Linux.
With GeoMailSearch you can: 
- Score for the email sender country
- Optional Score for the sender time (Office Hour)
 
Advanced:
- Score the email sender country (Array)
- Optional Score the sender time (Office Hour)
 
- Score the email ASN provider (Array)
- Optional Score the ASN provider (Office Hour)
 
- Score the email server Latitude/Longitude and define a radius around it (Array)
- Optional Score the server Latitude/Longitude (Office Hour)
 
Requirements (Dependency Tree)
- Linux
- mySQL
- Perl
- Sendmail (or another, similar and functioning  MTA)
- Spamassassin
- GeoMailSearch
- Maxmind GeoIP Database
 
 
- GeoMailSearch
 
- Spamassassin
 
Installation
Files
Please get GeoMailSearch.pm (download link below) and copy it to the Perl/Spamassassin Plugin Directory, depending on your Linux distribution this might be:
/usr/share/perl5/Mail/SpamAssassin/Plugin/
then check the permissions and give it a try by looking for error mesages , there should be none when running:
root@myhost ~ # /usr/share/perl5/Mail/SpamAssassin/Plugin/GeoMailSearch.pl
Modules
It might be required to install some more perl modules. In case, this is the list of modules being used:
use strict; package Mail::SpamAssassin::Plugin::GeoMailSearch; use Mail::SpamAssassin::Plugin; use Mail::SpamAssassin::Conf::Parser; use POSIX; use DBI; use HTTP::Date qw/str2time/; use Math::Trig qw(deg2rad pi great_circle_distance); use Net::Syslog;
SQL
This Plugin requires the geoip database on a mysql server, to load you may first create the database and then assign a user next.
Please use the template geoip.sql from the download archive and run it with mysql.
Create database:
mysql -u myuser -p < geoip.sql
Then create the user, for example geouser:
mysql -u myuser -p GRANT ALL PRIVILEGES ON geoip.* TO 'geouser'@'localhost' IDENTIFIED BY 'mypassword' WITH GRANT OPTION;
Note
There will be two places where the above account credentials are needed.
Sample:
- /etc/spamassassin/yourconfig
- /mypath/gms-loader.xml
Configuration
Basic
Spamassassin sample /etc/spamassassin/local.cf
Initialization
- Initialization:
loadplugin Mail::SpamAssassin::Plugin::GeoMailSearch header GeoMailSearch eval:check_geomailsearch()
Database Conection
- Database connection
geomailsearch_sql_database geoip geomailsearch_sql_server 127.0.0.1 geomailsearch_sql_user username geomailsearch_sql_pwd pax-s-w-0r-d
Log Level
Log level sample:
geomailsearch_syslog 1
Available levels:
- Level 0: No syslog
- Level 1: Full
- Level 2: Analyze
Basic Settings
Basic Country Settings
geomailsearch_score 1.0 geomailsearch_non_office_hours 20:00-07:00 geomailsearch_non_business_day 1 geomailsearch_block_country X1:X2:X3
Description:
| Name | Required | Value | 
|---|---|---|
| geomailsearch_score | Yes | Scoring values for spamassassin | 
| geomailsearch_non_office_hours | Optional | TimeDiff, hh:mm-hh:mm The time range of the NON office hour Sample hours between 18:00 until the next day 08:00 18:00-08:00 | 
| geomailsearch_non_business_day | Optional | Non business days (weekend) If this value is set to 1 then the non office hours gets overrules if the day is saturday or sunday. | 
| geomailsearch_block_country | Yes | Array list of country codes separated by column Sample for a single country code: X1 Sample for a array of countries: X1:X2:X3 | 
Advanced
Advanced Country Score
Advanced Country Block works as array, each set of element is separated by a pipe .
Sample for 3 elements of rules:
geomailsearch_advanced_score_country X1:X2,0.5,20:00-07:00|X3:X4,0.6,19:00-20:00|X5,0.7
The above sample has 3 rules:
- Rule1: X1:X2,0.5,20:00-07:00
- Rule2: X3:X4,0.6,19:00-20:00
- Rule3: X5,0.7
Each rule has 2 or 3 elements, first the country array, then the score and last a optional non office hour time range.
- Element1: Counry code, separated by column
- Element2: Score
- Element3: Optional non office hour time range
The above sample has the following effective rules:
| Country | Score | Non office hour time range | 
|---|---|---|
| X1 | 0.5 | 20:00-07:00 | 
| X2 | 0.5 | 20:00-07:00 | 
| X3 | 0.6 | 19:00-20:00 | 
| X4 | 0.6 | 19:00-20:00 | 
| X5 | 0.7 | None | 
Advanced ASN Score
Advanced ASN Block works as array, each set of element is separated by a pipe .
Sample for 3 elements of rules:
geomailsearch_advanced_score_asn AS0000:AS0001,0.5,18:00-08:00|AS0003:AS0004,0.6,19:00-08:00|AS0005,0.7
The above sample has 3 rules:
- Rule1: AS0001:AS0002,0.5,18:00-08:00
- Rule2: AS0003:AS0004,0.6,19:00-08:00
- Rule3: AS0005,0.7
Each rule has 2 or 3 elements, first the asn array, then the score and last a optional non office hour time range.
- Element1: AS Number, separated by column
- Element2: Score
- Element3: Optional non office hour time range
The above sample has the following effective rules:
| AS Number | Score | Non office hour time range | 
|---|---|---|
| AS0001 | 0.5 | 18:00-08:00 | 
| AS0002 | 0.5 | 18:00-08:00 | 
| AS0003 | 0.6 | 19:00-08:00 | 
| AS0004 | 0.6 | 19:00-08:00 | 
| AS0005 | 0.7 | None | 
Advanced GEO Score
Advanced GEO Block works as array, each set of element is separated by a pipe .
Sample for 2 elements of rules:
geomailsearch_radius_score 90.0,0.01,200,0.5,18:00-23:00|-90.0,0.01,300,0.6
The above sample has 2 rules:
- Rule1: 90.0,0.01,200,0.5,18:00-23:00
- Rule2: -90.0,0.01,300,0.6
Each rule has 4 or 5 elements, first the geo data (latitude/longitude) array, then the search radius followed by the score and last a optional non office hour time range.
- Element1: Latitude
- Element2: Longitude
- Element4: Radius (KM)
- Element4: Score
- Element5: Optional non office hour range
The above sample has the following effective rules:
| Latitude | Longitude | Radius | Score | Optional non office hour range | Info | 
|---|---|---|---|---|---|
| 90.0 | 0.01 | 200 | 0.5 | 18:00-08:00 | This is the South Pole :-) | 
| -90.0 | 0.01 | 300 | 0.6 | None | This is the North Pole :-) | 
Configure Syslog
If you use syslog then please make sure your rsyslog daemon has udp logging enabled on 127.0.0.1
- /etc/rsyslog.conf
$ModLoad imudp $UDPServerRun 514
GMS-LOADER
The GeoMailSearch loader takes care of downloading the recent maxmind database, it alos insert the data into the mysql server.
The GMS loader is using a xml configuration file for the settings.
Sample
<?xml version="1.0"?> <CONFIG> <HTTP_Maintain IPLIST="1" ASNLIST="1" CITYLIST="0" /> <HTTP_Download IPLIST="http://geolite.maxmind.com/download/geoip/database/GeoLiteCity_CSV/GeoLiteCity-latest.zip" ASNLIST="http://download.maxmind.com/download/geoip/database/asnum/GeoIPASNum2.zip" CITYLIST="http://download.maxmind.com/download/worldcities/worldcitiespop.txt.gz" /> <GeoDatabase Database = "geoip" Server = "localhost" Username = "geouser" Password = "xxxx" /> <System SyslogIP="127.0.0.1" DeleteTempDataOnStartup="1" DeleteTempDataOnExit="1" /> </CONFIG>
| Attribute | Value | Description | 
|---|---|---|
| IPLIST | Boolean | Download and maintain the ip list | 
| ASNLIST | Boolean | Download and maintain the ASN list | 
| CITYLIST | Boolean | Download and maintain the City list | 
Note Downloading the City List is nthat much often required, maybe once a year.
| Attribute | Value | Description | 
|---|---|---|
| IPLIST | Boolean | URL to the list | 
| ASNLIST | Boolean | URL to the list | 
| CITYLIST | Boolean | URL to the list | 
| Attribute | Description | 
|---|---|
| Database | mysql database | 
| Server | mysql server name | 
| Username | mysql username | 
| Password | mysql password | 
| Attribute | Description | 
|---|---|
| SyslogIP | ip address of your syslog server, leave empty to disable | 
| DeleteTempDataOnStartup | delete temporary download data at startup | 
| DeleteTempDataOnExit | delete temporary download data at startup | 
GMS-LOADER CRON
Cron sample:
#m h dom mon dow command 0 1 5 * * (cd /usr/local/gms-loader/; ./gms-loader.pl)
Download GMS
| 
 | 
