Automated Open Relay Test Submission John Fix 3rd - john3@cornells.com Last Modified - 28 Sept 2002 This zip contains a cmd file and utilities for automatically submitting the IP addresses of suspected "open relays" to ordb.org. Discussion of open relays, RBL's, spam, etc. is well beyond the scope of this little readme file, so I'll dive right into discussion about the program and what it does. OVERVIEW - This script scans the error log created by VopMail and ModusMail (www.vircom.com) looking for IP addresses that generated errors when attempting an SMTP connection to your server. Errors show up in the log for several reasons, so every error is not necessarily a spam attempt. This script will report errors caused by: - Invalid email address - If an incoming email is addressed to a non-existent email account, then the IP of the connecting server will be logged. - Realtime Blackhole List (RBL) - If your email server checks incoming IP's against RBL servers and finds the IP listed, the connection will be rejected and the IP will be logged. - Spamflt0.txt entries - If your email server is using a Protocol filter (default file is spamflt0.txt) and an incoming connection is rejected because of a match with the filter, the IP of the incoming server will be logged. - Reject Connection from these IP's - If you specify a list of IP addresses to refuse connections from, those entries will be logged. These are the four major reasons errors are logged, and of these the first is the primary error we're concerned with since those are not yet known to be spam sources. Spammers are notorious for using dictionary attacks and will send emails to joe@domain.com, joe1@domain.com, etc. They may try one or two and then move on, or they may send dozens or hundreds at once. The smarter spammers try just a few so they don't trigger SMTP slowdowns. RelaySubmit.cmd will scan your error log for all four types of errors and create a list of the IP addresses of the offending servers. It will then email that list to relays@ordb.org for testing to see if those IP's are "open relays". SETUP - Unzip the files into any directory you'd like. You can put the files into the VopMail directory, but it'd probably be best to create a new directory to keep things clean. Once you've unzipped the files, edit the RelaySubmit.cmd file to match your preferences. The most important entry is the path to your VopMail/ModusMail log files. You also need to specify your email address and mail server. For the first few test runs, change the "relays@ordb.org" email to your own email so you can see the results. You can also add IP ranges to strip out of the submission by adding additional "grep -v 111.111.111.111" commands to the line. After configuring the files and testing them a few times, change the email parameter back to "relays@ordb.org" and set up a sechduled event to run the command each night. I schedule mine to run at 11:55 PM so it processes just before ModusMail cycles the error logs. ISSUES - This is a quick list of improvements that need to be made: - I need to figure out a way to remove the redundant entries. For example, there isn't much reason to submit IP's that are already listed in relays.ordb.org's database. There is probably a way to tweak the script to accomplish this, but I haven't figured it out yet. - ORDB.ORG claims they only test the first 100 entries in an email submission. Even a low traffic server like mine reports about 300 IP's on a typical day using RelaySubmit.cmd. Luckily, it appears that ORDB.ORG accepts more than 100 submissions as most of the time all my submissions are processed. RESOURCES - There are a number of sites on the web that discuss spam, RBL's, open relays, etc. Here's a few sites to get you started: http://ordb.org http://www.vircom.com/community/vascnervecenter.asp DISCLAIMER - I make no guarantees, warranties, claims, or promises about these files. They are distributed freely, and you may use them at your own risk. CREDITS - The enclosed script(s) are based on the work of several anonymous contributors. I modified the scripts using my limited knowledge about .cmd scripting language. Thanks for Vircom for creating VopMail and ModusMail, and thanks to the subscribers of the various Vircom mailing lists for their ideas and comments. The various utilities (grep, cut, postie, etc.) are all free distributions from gnu.org. VopMail and ModusMail are trademarks of Vircom (www.vircom.com)