aboutsummaryrefslogtreecommitdiffstats

ejabberd mod_spam_filter ingest

CodeFactor

installation

Python 3 virtual environment

virtualenv -p python3
pip install -r requirements.txt

configuration

ejabberd

/etc/ejabberd/modules.d/mod_spam_filter.yml

modules:
  mod_spam_filter:
    ...
    spam_dump_file: "/var/log/ejabberd/spam-@HOST@.txt"
    ...

config.json

The config.json file is used to preserve date from possible updates to this script. config.py will load config .json to extract the name, which is used to sign the report message with. In the future there might be other things the config.json may contain.

$ cat config.json
{
  "name": "username"
}

usage main.py

usage: main.py [-h] [-in INFILE [INFILE ...]] [-d DOMAIN] [-r] [-f A] [-t B]

optional arguments:
  -h, --help            show this help message and exit
  -in INFILE [INFILE ...], --infile INFILE [INFILE ...]
                        set path to input file
  -d DOMAIN, --domain DOMAIN
                        specify report domain
  -r, --report          toggle report output to file
  -f A, --from A        ISO-8601 timestamp where to start the search
  -t B, --to B          ISO-8601 timestamp up until where to start the search

run with no argument

If main.py is run without any arguments attached, then the script will output a "top 10" table showing the amount of messages/ bots for the most spammy domains in the database.

example
$./main.py

|   messages |   bots | domain        |
|------------+--------+---------------|
|         42 |      1 | example.net   |
|         17 |      9 | example.rs    |
|          7 |      5 | example.cd    |
|          5 |      3 | example.de    |
|          4 |      4 | example.ru    |
|          3 |      1 | example.co.uk |
|          3 |      3 | example.com   |
|          3 |      1 | example.net   |
|          3 |      1 | example.fr    |
|          3 |      1 | example.com   |

-in / --infile

The --in or --infile argument is designed to run automatically via the logrotate daemon. Therefore the script is able to process gzip compressed files and also multiple files at once via shell expansion.

example

If ejabberd is configured to create multiple spamdump files it is possible to ingest all files at once, following this example.

$ ./main.py --in /var/log/ejabberd/spam-*.log

-d / --domain

If a domain is specifically defined to be processed, the script will only query the sqlite database for that domain. It is possible to provide multiple domains at once via multiple -d or --domain arguments.

example
$ ./main.py --d example.tld -d example.com

|   messages |   bots | domain      | first seen                  | last seen                   |
|------------+--------+-------------+-----------------------------+-----------------------------|
|         15 |      9 | example.tld | 2019-04-28T20:19:43.939926Z | 2019-05-22T13:59:53.339834Z |
|         23 |      7 | example.com | 2018-02-28T20:19:43.939926Z | 2019-05-22T13:59:53.339834Z |

-r / --report

This flag will only take effect if the -d or --domain argument is used. If that is the case, the script will automatically gather information about the specified domain and write them to the report directory.

-f / --from and -t / --to

With this flag it is possible to provide an ISO-8601 timestamp with the specified query, to further narrow the expected result. All outputting querys support the custom time period flags.