Automated Open Relay Test Submission
John Fix 3rd - john3@cornells.com
Last Modified - 28 Sept 2002

This zip contains a cmd file and utilities for automatically
submitting the IP addresses of suspected "open relays" to
ordb.org.  Discussion of open relays, RBL's, spam, etc. is well
beyond the scope of this little readme file, so I'll dive right
into discussion about the program and what it does.

OVERVIEW -

This script scans the error log created by VopMail and ModusMail
(www.vircom.com) looking for IP addresses that generated errors
when attempting an SMTP connection to your server.  Errors show
up in the log for several reasons, so every error is not 
necessarily a spam attempt.  This script will report errors 
caused by:

- Invalid email address - If an incoming email is addressed to
a non-existent email account, then the IP of the connecting 
server will be logged.

- Realtime Blackhole List (RBL) - If your email server checks
incoming IP's against RBL servers and finds the IP listed, the
connection will be rejected and the IP will be logged.

- Spamflt0.txt entries - If your email server is using a Protocol
filter (default file is spamflt0.txt) and an incoming connection
is rejected because of a match with the filter, the IP of the 
incoming server will be logged.

- Reject Connection from these IP's - If you specify a list
of IP addresses to refuse connections from, those entries will
be logged.  

These are the four major reasons errors are logged, and of these 
the first is the primary error we're concerned with since those
are not yet known to be spam sources.  Spammers are notorious
for using dictionary attacks and will send emails to joe@domain.com,
joe1@domain.com, etc.  They may try one or two and then move on, 
or they may send dozens or hundreds at once.  The smarter spammers
try just a few so they don't trigger SMTP slowdowns.

RelaySubmit.cmd will scan your error log for all four types of 
errors and create a list of the IP addresses of the offending servers.
It will then email that list to relays@ordb.org for testing to
see if those IP's are "open relays".

SETUP -

Unzip the files into any directory you'd like.  You can put
the files into the VopMail directory, but it'd probably be
best to create a new directory to keep things clean.

Once you've unzipped the files, edit the RelaySubmit.cmd file to 
match your preferences.  The most important entry is the path
to your VopMail/ModusMail log files.   You also need to specify
your email address and mail server. For the first few test runs, change 
the "relays@ordb.org" email to your own email so you can see the
results.  You can also add IP ranges to strip out of the submission
by adding additional "grep -v 111.111.111.111" commands to the line. 

After configuring the files and testing them a few times, change the
email parameter back to "relays@ordb.org" and set up a sechduled 
event to run the command each night.  I schedule mine to run at 11:55 PM
so it processes just before ModusMail cycles the error logs.

ISSUES -

This is a quick list of improvements that need to be made:

- I need to figure out a way to remove the redundant entries.
For example, there isn't much reason to submit IP's that are 
already listed in relays.ordb.org's database.  There is 
probably a way to tweak the script to accomplish this, but 
I haven't figured it out yet.  

- ORDB.ORG claims they only test the first 100 entries in an email
submission.  Even a low traffic server like mine reports about
300 IP's on a typical day using RelaySubmit.cmd.  Luckily, it
appears that ORDB.ORG accepts more than 100 submissions as most
of the time all my submissions are processed.

RESOURCES - 

There are a number of sites on the web that discuss
spam, RBL's, open relays, etc.  Here's a few sites to get you 
started:

http://ordb.org
http://www.vircom.com/community/vascnervecenter.asp



DISCLAIMER - I make no guarantees, warranties, claims, or promises
about these files.  They are distributed freely, and you may use
them at your own risk. 

CREDITS - The enclosed script(s) are based on the work of several
anonymous contributors. I modified the scripts using my limited
knowledge about .cmd scripting language.  Thanks for Vircom for
creating VopMail and ModusMail, and thanks to the subscribers of
the various Vircom mailing lists for their ideas and comments.

The various utilities (grep, cut, postie, etc.) are all free
distributions from gnu.org.

VopMail and ModusMail are trademarks of Vircom (www.vircom.com)


