Vispan

Current version 3.1.4

22 June 2017

Download

Latest Stable Release

If you have rogue entries in your data file then you can use Vispan-edit to deal with them.

Beta Release
None
Please note that this release is a BETA release and may not work correctly. It is intended for people who want the latest features and are prepared to provide the author with feedback.
Please Note: This version requires the use of the GD graph library.

Installation

To install, download the zipped tar file. Unpack it – this will create a directory called Vispan-x.x (where x are the version numbers). Go into the directory and type:
perl Makefile.PL
make install

This will install the necessary files into your system.

If necessary it will amend your crontab to add an entry to call the script.

Please note that the config file will be installed into /etc. If it already exists then it will be upgraded and a backup copy made of the original file. You should check that the upgraded file contains the correct settings.

UPGRADING – the latest version should read the stats in from your existing file, however, this code has not been extensively tested and no guarantees are made about the accuracy of the resulting statistics.

Dependencies

Example

For an example of the output see http://www.while.org.uk/vispan

Description

Vispan is a PERL script which analyses the mail log file to produce useful statistics. It requires MailScanner to provide the necessary log file entries. The virus list is dependent on the virus scanner you have installed.

In order to detect the spam correctly it is strongly recommended to use SpamAssassin with MailScanner

The script can also use heuristics in the senders of the spam emails and can then automatically add them to the sendmail access file which will cause further mails to be rejected. After a definable period of time they will be removed from the access file and once again allowed to send mail to you.

The heuristics provide an escalation mechanism so that when an IP address is removed from the block then a grace period is started. If that IP sends any spam during that period it will escalate and block the IP for twice the previous block time. For example using the default settings:
Level 1 = 5 days
Level 2 = 10 days
Level 3 = 20 days
Level 4 = 40 days
etc

I believe that this is superior to the RBLs that are maintained since you have control over them and it is specific to the behaviour of your particular mail server

Usage

Vispan is usually called via the cron mechanism – an entry is created at install time to do this. Note that the time interval set by the cron job should not be changed since Vispan uses this to perform some calculations. Changing the run interval in the cron job will cause some very weird results.

There are command line options as follows:

-h
Print out a help message and quit
-f
Use the alternate config file specified
-r xxx.xxx.xxx.xxx
Remove the IP address specified from the access database and the Vispan data file.

Config file

The Vispan.conf file contains configuration information which you should change to suite your requirements as follows:

UseAccess
Set to 1 to use the access file in sendmail set to 0 to avoid it
UseIPTables
Set to 1 to use the iptables facility to block the sender at the firewall level. Note setting this to 1 will effectively set UseAccess to 0 as the packet will never get as far as the MTA so there is no point blocking at the MTA level
UseHeuristics
Set to 1 to use the heuristics system. Set to 0 to just produce a list of IP addresses that have sent spam – this might get pretty large!
BlockTime
The amount of time that the sender should stay in the access block list. Specified in minutes
IPTables
The location of the iptables command
IPTablesConf
The location of the iptables config file. This MUST be set to the system location of your config file so that the IP blocks get reloaded on a system restart
AccessList
Path to the access file – only used if UseAccess is set to 1
MakeMap
The location of the makemap command – needed to rebuild the access file for sendmail
WhereIs
Location of the whereis command – used to determine the version numbers. Usually /usr/bin/whereis for Linux systems and /usr/ucb/whereis for Solaris.
WhereisPath
The paths that the whereis command will search to find the virus scanners and mail scanner
LogFile
The location of your mail log file
Queue_Dirs
A space separated list of the full paths of any extra mail queue dirs.
WhiteList
An array containing the IP addresses of servers that should not be added to the access file.i Can be specified as individual addresses, a range or in CIDR format. Entries should be separated by a space.
Can also be the full pathname to a file – must be started with @ 
tmpfile
The location of the temporary file that is created
WorkDir
The directory that you want to use to keep the working files in.
HTMLDir
The directory to hold the output HTML code
Header
The location of a header file that can be used to provide HTML to be added before the generated HTML. The contents are added immediately after the body tag and before any HTML generated by Vispan.
Footer
Similar to the header but added after the generated HTML and immediately before the horizontal line at the bottom of the page. Setting this to an empty file will prevent the W3C logo appearing.
Logo
The name of a file to include as a logo.
StyleSheet
If you use a style sheet you can specify it here – it should be relative. A sample style sheet is provided in the distribution.
SMLogString
The string that is logged to the log file for sendmail. Most installs use sendmail but FreeBSD appears to use sm-mta
UseGeoIP
Set to 1 to use the geographic functions to determine the location of the spam/virus based on the IP address. This requires the use of the GeoIP library and should only be enabled if you have already loaded it.
HighScore
The value of the high spam score as defined in the MailScanner config file
PageTitle
The title to appear on the page
Scanner
The virus scanning software you are using. Currently can be one of sophos, sophossavi, mcafee, command, bitdefender, etrust, inoculan, f-secure, f-prot, rav, antivir, clamav, clamavmodule, trend or mailscanner.
IncludeIPInReject
Whether to include the IP address in the reject text. set to 1 to include.
Spam_Reject_Text
The text placed after the IP address in the access file. This is sent to the sending MTA when mail is rejected. This is used when an IP address is added due to excessive Spam mail being received.
Virus_Reject_Text
The text placed after the IP address in the access file. This is sent to the sending MTA when mail is rejected. This is used when an IP address is added due to excessive viruses being received.
CheckHacker
Whether to look for sending servers that don’t conform to the SMTP protocol. Set to 1 to enable.
Hack_Reject_Text
The text placed after the IP address in the access file. This is sent to the sending MTA when mail is rejected. This is used when an IP address is added due to excessive requests being made which don’t conform to the SMTP protocol.
DisplayTop
A number to indicate that the program should only display the top n in the country list and the SpamAssassin trap report.
Mins, Hours, Days, Months, Years
These specify the number of sets of data to keep for each of the intervals. These are used in the detailed statistics output.
FromLeft
Set to 1 to make the graphs grow from the left instead of the right. That is, new values will appear on the left.
ServersToLookAt
A list of servers to look for in the log file. Leave blank for all servers.
AccessNotify
When set to 1 will send an email when an IP address is added to the access file
NotifyToAddress
The address to send the email to.
NotifyFromAddress
The address that the email comes from
NotifySubject
The subject line of the email.
SMTPServer
The SMTP server to use to send the email.
NumSpams
The maximum number of spams allowed from a particular source in a 24 hour period before it gets added to the access file.
NumViruses
The maximum number of viruses from a given IP address in a 24 hour period before it gets added to the access file.