#!/bin/sh # mail.clean_quarantine.sh # Copyright (c) 2008 Peter Kuyarov, All rights reserved # Local version: # Wed Sep 3 08:27:37 MDT 2008 - 1.2.2 # clean up some code parsing... # any lines with 'localhost' were ignored, thus # 'helo localhost' by spammer was causing this to fail.. # Tue Sep 2 13:47:06 MDT 2008 - 1.2.1 # if fails to add spam ip to 'pf' table, # will not delete quarantined spam # for later manual check of what failed # Thu Aug 28 09:22:06 MDT 2008 - 1.2 # now it bzips the qscand quarantine.log file # ability to store custom config in $conf file # Local version: 1.0 # Tue Aug 26 10:21:22 MDT 2008 - 1.0 # added tracking file of servers with high spam scores # using that file for later blocking with pf/ipfw/spamd/etc.... # Tue Feb 12 08:32:54 MST 2008 # # delete old quarantined [spamass/clamav] emails # delete quarantined emails over certain spamass score # # scripts@pknet.net # http://peterk.org/scripts/ # PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin/:/usr/local/vpopmail/bin/ export PATH # configuration file for this script conf='/usr/local/etc/mail.clean_quarantine.conf' # # start $conf file # begin user config variables; # these defaults can be put in $conf files # # max days to keep quarantine files; maxkeep=5 # delete email over this spamass score delspamover=18 # how many days to keep qscan quaratine log files qsquarkeepdays=15 # put that smtp server into spammers list for pf block pfspammers="/var/qmail/control/pf.spammers" # qscandir='/var/spool/qscand' quardir="$qscandir/quarantine" newspam="$qscandir/quarantine/spam/new" curspam="$qscandir/quarantine/spam/cur" qsquarantinelog="$qscandir/quarantine.log" # # scan quarantined spam emails over $delspamover # put that smtp server into spammers list for # later blocking with pf/ipfw/spamd/etc.... pfspammers="/var/qmail/control/pf.spammers" # log file for script logfile="/var/log/mail.clean_quarantine.log" # configuration file for this script conf='/usr/local/etc/mail.clean_quarantine.conf' # # end user config variables; # end $conf file # if [ -r $conf ]; then . $conf else printf "Local settings [$conf] do NOT exist, using defaults\n" sleep 1 fi # below should not really be changed hour=`date "+%H"` date=`date "+%Y.%m.%d.%H%M"` yesterday=`date -v -1d "+%Y.%m.%d"` qsquarexpired=`date -v${qsquarkeepdays}d "+%Y.%m.%d"` maxkeepcount=0 delspamovercount=0 mvspamundercount=0 totalnewspamcount=`ls $newspam|wc -l|sed 's/ //g'` echo "---------------$date---------------" >> $logfile printf "$totalnewspamcount\t - $date - total new spam\n" >> $logfile # #delete old quarantined files over $maxkeep days # for oldspam in `find $quardir -type f -mtime +${maxkeep}d` do maxkeepcount=$(($maxkeepcount+1)) rm $oldspam done printf "$maxkeepcount\t - $date - 'rm'ed over ${maxkeep} days old\n" >> $logfile # make dated to be commented out so pf doesn't import it... echo "#`date`" >> $pfspammers # # to keep /var from filling up # delete quarantined spam over $delspamover # move other files to 'cur' directory for them to age out # only whatever is over $sa_quarantine is here; so anyways # all is 99% sure it's spam. for i in `find $newspam -type f | grep .....`;do score=`tail -2 $i|grep "Quarantine-Description: SPAM content refused by this network" | \ sed 's/.*(//g'|sed 's/\/.*//g'|sed 's/\..*//g'` if [ "$score" -gt "$delspamover" ];then delspamovercount=$(($delspamovercount+1)) spammersip=`grep 'Received: from' $i | grep -v 'from localhost' | head -1 | \ sed 's/.*(//g'|sed 's/)$//g'` echo $spammersip >> $pfspammers pfctl -q -t spammers -T add $spammersip && \ rm $i || \ echo "$i - $spammersip " else mv $i $curspam mvspamundercount=$(($mvspamundercount+1)) fi; done printf "$delspamovercount\t - $date - 'rm'ed spamover $delspamover\n" >> $logfile printf "$mvspamundercount\t - $date - 'mv'ed spamunder $delspamover\n" >> $logfile # # at midnight do final tally of quarantined spam yesterday; # and print statistics on stdout for cron to email # if [ "$hour" = 00 ] then yesterday2=`date -v -1d "+%a, %d %b %Y"` totalspam=`grep "$yesterday2" $qscandir/quarantine.log | \ grep "SPAM content refused by this network" | \ wc -l|sed 's/ //g'` echo "---------------$yesterday.2359---------------" >> $logfile printf "$totalspam\t - $yesterday.2359 - TOTAL SPAM for the day\n" >>$logfile grep $yesterday $logfile mv $qsquarantinelog ${qsquarantinelog}.${yesterday} && \ bzip2 -v ${qsquarantinelog}.${yesterday} && \ rm -v ${qsquarantinelog}.${qsquarexpired}.bz2 fi