Mailing-List: contact users-help@spamassassin.apache.org; run by ezmlm
Precedence: bulk
Received-SPF: pass (athena.apache.org: local policy)
Date: Mon, 14 Mar 2011 13:41:04 +0100 (CET)
From: Markus Reschke <madires@theca-tabellaria.de>
To: users@spamassassin.apache.org
Subject: plugin for CIDR matching 
Message-ID: <alpine.DEB.2.00.1103141313230.2436@pyxis.theca-tabellaria.de>
User-Agent: Alpine 2.00 (DEB 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII

Hi!

Currently I'm writing a small SA plugin for checking if IP addresses of
relaying MTAs (in the Received: lines) are within a list of defined CIDR
blocks. Most admins filter specific CIDR blocks, e.g. from known SPAMming 
ISPs, at the MTA level. That way all emails from the given CIDR blocks are
rejected. But some users like to get those emails too. There could be an
important email or one from a potential customer - whatever. My SA plugin 
can solve that problem by adding a SPAM score to matching emails. The 
email may be flagged as SPAM but it's received.

I've tested the plugin on two servers. Please test it too! You'll need 
two perl modules (Net::IP::AddrRanges and Net::CIDR) from CPAN. Any 
(positive :-) feedback is welcome.

And now the plugin (docs included):

#
# Copyright 2011 by Markus Reschke
#

# <@LICENSE>
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements.  See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to you under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License.  You may obtain a copy of the License at:
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# </@LICENSE>


=head1 NAME

CIDRlight - CIDR check plugin for SpamAssassin

=head1 SYNOPSIS

   loadplugin             Mail::SpamAssassin::Plugin::CIDRlight

   add_cidrlight_blocks   <CIDR block> [<CIDR block> ...]

   header                 <test tag> eval:check_cidrlight_blocks()

=head1 EXAMPLE

Example for cf-file:

   loadplugin             Mail::SpamAssassin::Plugin::CIDRlight 
/etc/spamassasin/CIDRlight.pm

   add_cidrlight_blocks   10.0.0.0/8 1.2.3.4
   add_cidrlight_blocks   192.168.0.0/16

   header                 CIDR eval:check_cidrlight_blocks()
   describe               CIDR CIDRlight: Received from evil network
   score                  CIDR 5.0

=head1 DESCRIPTION

This plugin checks if an email was sent via a specific network by 
comparing
the IP adresses in the "Received:" lines with defined CIDR blocks. If the
IP address matches one of the CIDR blocks in the list, the eval function
returns 1. IPv4 and IPv6 are supported.

=cut


package Mail::SpamAssassin::Plugin::CIDRlight;

use Mail::SpamAssassin::Plugin;
use Mail::SpamAssassin::Logger;
use Net::IP::AddrRanges;
use Net::CIDR;
use strict;
use warnings;
use bytes;
use re 'taint';

use vars qw(@ISA);
@ISA = qw(Mail::SpamAssassin::Plugin);

# version
our $VERSION = '0.18';

# create empty block list
my $blocks = Net::IP::AddrRanges->new();


#
# constructor
#
sub new {
   #my ($class, $mailsaobject) = @_;

   my $class = shift;
   my $mailsaobject = shift;

   # some boilerplate...
   $class = ref($class) || $class;
   my $self = $class->SUPER::new($mailsaobject);
   bless ($self, $class);

   # eval rules
   $self->register_eval_rule ("check_cidrlight_blocks");

   info("CIDRlight: plugin enabled.");
   dbg("CIDRlight: registered Mail::SpamAssassin::Plugin::CIDRlight: 
$self");
   return $self;
}


#
# parse config
#

sub parse_config {
   my ($self, $opts) = @_;

   # add CIDR blocks to local list
   if ($opts->{key} eq "add_cidrlight_blocks") {
     foreach my $temp (split(/\s+/, $opts->{value})) {
        my $value = lc($temp);
        my $check = '';

        $check = Net::CIDR::cidrvalidate($value);

        if (! defined $check) {
          dbg("CIDRlight: invalid CIDR block %s.", $value);
        }
        else {
          $blocks->add($value);
          dbg("CIDRlight: added %s.", $value);
        }
     }

     $self->inhibit_further_callbacks();
     return 1;
   }

   return 0;
}


#
# and the eval rule itself
#

sub check_cidrlight_blocks {
   my ($self, $permsgstatus) = @_;

   my $received = $permsgstatus->get("Received");
   my @recs = split('\n',$received);

   for (@recs) {
     my $ip = '';
     my $check;

     # IPv4
     if ($_ =~ /.+\[(\d+\.\d+\.\d+\.\d+)\]\)/) {
       $ip = $1;
     }
     # IPv6 link local with zone ID
     elsif ($_ =~ /.+\[(fe80::.*)%.+\]\)/) {
       $ip = lc($1);
     }
     # IPv6 condensed
     elsif ($_ =~ /.+\[(.*::.*)\]\)/) {
       $ip = lc($1);
     }
     # IPv6 non condensed
     elsif ($_ =~ /.+\[(.*:[0-9a-f]{1,4}:.*)\]\)/) {
       $ip = lc($1);
     }

     # check
     if ($ip) {
       $check = Net::CIDR::cidrvalidate($ip);

       if (! defined $check) {
         dbg("CIDRlight: got invalid IP address from Received line (%s).", 
$ip);
       }
       else {
         dbg("CIDRlight: got %s from Received line.", $ip);

         if ($blocks->find($ip)) {
           dbg("CIDRlight: got block match for %s.", $ip);
           return 1;
         }
       }
     }
   }

   return 0;
}

1;

PS: I'm working on a more advanced version too (supporting named lists, 
e.g. individual CIDR block lists for multiple providers/networks).

Best regards
  Markus
-- 
/ Markus Reschke \ / madires@theca-tabellaria.de \ / FidoNet 2:244/1661 \
\                / \                             / \                    /