Results 1 to 1 of 1

Thread: Sending automatic abuse complaints

Threaded View

  1. #1
    Join Date
    Feb 2011
    Posts
    10
    Rep Power
    4

    Default Sending automatic abuse complaints

    Hi everyone!

    I'm just dropping by to share a little script I wrote a couple of days ago.
    I've noticed a huge increase in open relay scanning, and although Zimbra users aren't vulnerable, I thought this was a good opportunity to annoy spammers.

    Suspicious entries in the daily log look like this:
    Code:
    message reject detail
    ---------------------
        RCPT
            Relay access denied (total: 38)
                5 ono.com
                3 190.5.230.178
                3 p578bd5ec.dip0.t-ipconnect.de
                3 nuvox.net
                3 63.115.40.56
                3 amos-traffic.co.uk
                2 charter.com
                2 static.sbb.rs
                2 bband-dyn112.178-41-177.t-com.sk
                2 119.73.152.205
                2 mtnbusiness.co.za
                1 201.203.3.10
                1 telesp.net.br
                1 rogers.com
                1 rr.com
                1 teksavvy.com
                1 cox.net
                1 rima-tde.net
                1 88.247.78.4
    What's going on? Basically, someone is looking for misconfigured mail servers which will forward e-mails for anyone. This would allow them to send spam and have someone else deal with consequences.
    Looking more closely at the logs, I figured that all those scans were originating from the same individual (because of patterns in the scan). At first, I began sending abuse mail manually, but it didn't take long for me to realize that it was far too time consuming. So I wrote a small shell script that does the job by itself: everyday, it parses Zimbra logs, looks for suspicious entries and sends everything to the registered abuse contact in the WHOIS database.
    Code:
    #!/bin/bash
    
    # This program is free software: you can redistribute it and/or modify
    # it under the terms of the GNU General Public License as published by
    # the Free Software Foundation, either version 3 of the License, or
    # (at your option) any later version.
    #
    # This program is distributed in the hope that it will be useful,
    # but WITHOUT ANY WARRANTY; without even the implied warranty of
    # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
    # GNU General Public License for more details.
    #
    # You should have received a copy of the GNU General Public License
    # along with this program. If not, see <http://www.gnu.org/licenses/>.
    
    
    MAIL_HEAD="Hello,\n
    \n\
    I have received suspicious connexion on port 25 from a machine located in your network.\n\
    Here are the relevant postfix logs:\n"
    
    MAIL_FOOT="\nOne of your computers may have been infected, or it is possible that one of your clients is up to no good.\n\
    Could you please look into it?\n\
    \n\
    Regards,\n\
    [My Name]"
    
    for IP in `grep -i "relay access" /var/log/zimbra.log.1 |perl -ne '/from [A-Za-z0-9.-]+\[([0-9.]+)\]/ && print $1 . "\n"' |sort -u`
    do
        ABUSE_MAIL=`whois $IP |egrep -o "abuse[A-Za-z0-9.-]*@[A-Za-z0-9.-]+" |sort -u`
        if [[ -n "$ABUSE_MAIL" ]]
        then
            echo -e $MAIL_HEAD > mail.tmp
            grep $IP /var/log/zimbra.log.1 >> mail.tmp
            echo -e $MAIL_FOOT >> mail.tmp
            # Add "-b my@mail.tld" to mutt's arguments if you want to recieve a blind carbon copy of the sent e-mails.
            mutt -e 'set from=my@mail.tld realname="My Name"' -s "SMTP abuse from $IP" $ABUSE_MAIL < mail.tmp
        fi
    done
    rm -f mail.tmp
    (You may have to install mutt manually.)
    In order for the script to be called everyday, all you have to do is edit zimbra's logrotate script located at
    Code:
    /etc/logrotate.d/zimbra
    :
    Code:
    /var/log/zimbra.log {
    daily
    missingok
    notifempty
    create 0644 syslog adm
    compress
    postrotate
         /usr/sbin/service rsyslog restart >/dev/null || true
         su - zimbra -c "/opt/zimbra/bin/zmswatchctl restart" > /dev/null 2>&1 || true
         # -------- EDIT THIS --------
         /path/to/abuse.sh || true
         # ---------------------------
    endscript
    }
    This way, every time zimbra logs get archived, the script goes through them just before they are compressed.
    Finally, here is a sample mail generated by this script.
    Hello,

    I have received suspicious connexion on port 25 from a machine located in your network.
    Here are the relevant postfix logs:

    Jan 31 19:27:02 atria postfix/smtpd[21972]: warning: hostname 88.247.78.4.static.ttnet.com.tr does not resolve to address 88.247.78.4: No address associated with hostname
    Jan 31 19:27:02 atria postfix/smtpd[21972]: connect from unknown[88.247.78.4]
    Jan 31 19:27:03 atria postfix/smtpd[21972]: NOQUEUE: filter: RCPT from unknown[88.247.78.4]: <test@live.com>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<test@live.com> to=<therichsheickc@yahoo.com> proto=ESMTP helo=<[192.168.2.33]>
    Jan 31 19:27:03 atria postfix/smtpd[21972]: NOQUEUE: filter: RCPT from unknown[88.247.78.4]: <test@live.com>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10024; from=<test@live.com> to=<therichsheickc@yahoo.com> proto=ESMTP helo=<[192.168.2.33]>
    Jan 31 19:27:03 atria postfix/smtpd[21972]: NOQUEUE: reject: RCPT from unknown[88.247.78.4]: 554 5.7.1 <therichsheickc@yahoo.com>: Relay access denied; from=<test@live.com> to=<therichsheickc@yahoo.com> proto=ESMTP helo=<[192.168.2.33]>
    Jan 31 19:27:03 atria postfix/smtpd[21972]: disconnect from unknown[88.247.78.4]
    Jan 31 19:30:23 atria postfix/anvil[21974]: statistics: max connection rate 1/60s for (smtp:88.247.78.4) at Jan 31 19:27:02
    Jan 31 19:30:23 atria postfix/anvil[21974]: statistics: max connection count 1 for (smtp:88.247.78.4) at Jan 31 19:27:02
    Jan 31 22:15:21 atria postfix/smtpd[3430]: warning: hostname 88.247.78.4.static.ttnet.com.tr does not resolve to address 88.247.78.4: No address associated with hostname
    Jan 31 22:15:21 atria postfix/smtpd[3430]: connect from unknown[88.247.78.4]
    Jan 31 22:15:21 atria postfix/smtpd[3430]: NOQUEUE: filter: RCPT from unknown[88.247.78.4]: <test@live.com>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<test@live.com> to=<therichsheickc@yahoo.com> proto=ESMTP helo=<[192.168.2.33]>
    Jan 31 22:15:21 atria postfix/smtpd[3430]: NOQUEUE: filter: RCPT from unknown[88.247.78.4]: <test@live.com>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10024; from=<test@live.com> to=<therichsheickc@yahoo.com> proto=ESMTP helo=<[192.168.2.33]>
    Jan 31 22:15:21 atria postfix/smtpd[3430]: NOQUEUE: reject: RCPT from unknown[88.247.78.4]: 554 5.7.1 <therichsheickc@yahoo.com>: Relay access denied; from=<test@live.com> to=<therichsheickc@yahoo.com> proto=ESMTP helo=<[192.168.2.33]>
    Jan 31 22:15:22 atria postfix/smtpd[3430]: disconnect from unknown[88.247.78.4]
    Jan 31 22:18:42 atria postfix/anvil[3432]: statistics: max connection rate 1/60s for (smtp:88.247.78.4) at Jan 31 22:15:21
    Jan 31 22:18:42 atria postfix/anvil[3432]: statistics: max connection count 1 for (smtp:88.247.78.4) at Jan 31 22:15:21
    Jan 31 22:43:40 atria postfix/smtpd[16701]: warning: hostname 88.247.78.4.static.ttnet.com.tr does not resolve to address 88.247.78.4: No address associated with hostname
    Jan 31 22:43:40 atria postfix/smtpd[16701]: connect from unknown[88.247.78.4]
    Jan 31 22:43:41 atria postfix/smtpd[16701]: NOQUEUE: filter: RCPT from unknown[88.247.78.4]: <test@live.com>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<test@live.com> to=<therichsheickc@yahoo.com> proto=ESMTP helo=<[192.168.2.33]>
    Jan 31 22:43:41 atria postfix/smtpd[16701]: NOQUEUE: filter: RCPT from unknown[88.247.78.4]: <test@live.com>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10024; from=<test@live.com> to=<therichsheickc@yahoo.com> proto=ESMTP helo=<[192.168.2.33]>
    Jan 31 22:43:41 atria postfix/smtpd[16701]: NOQUEUE: reject: RCPT from unknown[88.247.78.4]: 554 5.7.1 <therichsheickc@yahoo.com>: Relay access denied; from=<test@live.com> to=<therichsheickc@yahoo.com> proto=ESMTP helo=<[192.168.2.33]>
    Jan 31 22:43:41 atria postfix/smtpd[16701]: disconnect from unknown[88.247.78.4]
    Jan 31 22:47:01 atria postfix/anvil[16703]: statistics: max connection rate 1/60s for (smtp:88.247.78.4) at Jan 31 22:43:40
    Jan 31 22:47:01 atria postfix/anvil[16703]: statistics: max connection count 1 for (smtp:88.247.78.4) at Jan 31 22:43:40

    One of your computers may have been infected, or it is possible that one of your clients is up to no good.
    Could you please look into it?

    Regards,
    Ivan
    That's it! It doesn't cost much, and may cost precious resources to spammers if ISPs and hosting providers recieve enough complaints.
    Feel free to extend the script to detect other types of undesirable behaviour!
    Last edited by MKC; 02-03-2014 at 01:24 AM.

Similar Threads

  1. VMware Staff Bugzilla Abuse or mismanagement
    By brickjenks101 in forum Users
    Replies: 3
    Last Post: 03-15-2012, 04:50 PM
  2. Automatic mail sending
    By charliemn in forum Administrators
    Replies: 0
    Last Post: 11-16-2010, 03:31 PM
  3. Global aliases for postmaster & abuse?
    By Xao in forum Installation
    Replies: 4
    Last Post: 01-17-2010, 12:22 AM
  4. Error with the mail-abuse RBL
    By crowley in forum Administrators
    Replies: 3
    Last Post: 12-05-2007, 10:44 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •