[Dshield] SASL Hacks & Swatch Alternative

George Theall theall at tifaware.com
Wed Mar 2 20:28:34 GMT 2005

On Wed, Mar 02, 2005 at 01:14:46PM -0500, David Cary Hart wrote:

> That said, swatch is a bit messy and, possibly, a tad unstable. I've
> googled, freshmeated and sourceforged to death without success. Any
> suggestions? I need a log watcher that can execute a script based upon
> pcre in real time.

Have you looked at my log-guardian? It's at:


As an example, I run sendmail with Neil Rickert's block_bad_helo.m4 to
block spammers using a HELO/EHLO hostname of my domain and the like. 
When this triggers, sendmail logs the rejection like this:

  Mar  2 00:25:06 badger sm-mta[15975]: j225P3eF015975: ruleset=check_rcpt, arg1=<george at tifaware.com>, relay=203.Red-81-42-248.pooles.rima-tde.net [], reject=550 5.7.1 <george at tifaware.com>... Bogus HELO name used - tifaware.com

To reduce the number of such attempts, I've added a "monitor" for
log-guardian that blocks hosts who use this trick more than two times:

                       ---- snip, snip, snip ----
our $monitors = {                       # what to monitor.
    '/var/log/mail.log' => [
            # Spammers
            label   => 'Spammers Faking My Hostname',
            pattern => qr/relay=[^,\[]*\[([\d\.]+)\], reject=5\d\d .+ Bogus HELO name used/,
            action  => sub {
                my $ip = $_[4];
                our %attempts;          # nb: this must have global scope!
                # One strike and they're out -- we drop any further
                # packets from them!
                if (++$attempts{$ip} == 2) {
                    system '/usr/bin/logger', '-i', '-t', 'log-guardian', "blocking $ip after 2 attempts to fake hostname.";
                    # nb: this is Linux / iptables specific; adjust to taste.
                    system '/sbin/iptables', split(/ /, "-I BLOCKLIST -s $ip -p tcp -j TARPIT");
                       ---- snip, snip, snip ----

Log-guardian runs continually, monitoring the mail log for lines
matching the specified pattern.  When one occurs, the regular expression
extracts the IP address of the connecting host while the hash %attempts
tracks attempts by ip.  After the second attempt, the host will be

theall at tifaware.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/list/attachments/20050302/a920cfa5/attachment.bin

More information about the list mailing list