Ces derniers jours, j'ai remarqué une forte augmentation des scans à la recherche de serveurs mails mal configurés ("open relays"). Ces serveurs acceptent de transférer des courriels en provenance de n'importe qui (et non uniquement des utilisateurs enregistrés) : une aubaine pour les spammeurs qui peuvent les utiliser pour relayer leurs cochonneries. Chaque jour, le rapport d'activité quotidien de mon serveur révèle un nombre important de tentatives :
message reject detail
---------------------
RCPT
Relay access denied (total: 38)
5 ono.com
3 190.5.230.178
3 p578bd5ec.dip0.t-ipconnect.de
3 nuvox.net
3 63.115.40.56
3 amos-traffic.co.uk
2 charter.com
2 static.sbb.rs
2 bband-dyn112.178-41-177.t-com.sk
2 119.73.152.205
2 mtnbusiness.co.za
1 201.203.3.10
1 telesp.net.br
1 rogers.com
1 rr.com
1 teksavvy.com
1 cox.net
1 rima-tde.net
1 88.247.78.4Comme vous le savez peut-être, il existe pour chaque bloc d'aresses IP (ou presque) une adresse de contact à qui l'on peut écrire pour se plaindre des manquements à la nétiquette. J'avais commencé par envoyer des mails dits "d'abuse" manuels, mais j'ai vite réalisé que ça me prendrait un temps fou à chaque fois. J'ai donc décidé d'automatiser le tout afin que les fournisseurs d'accès puissent prendre des mesures contre leurs clients belliqueux (s'ils le désirent). Le script suivant traverse les logs zimbra, identifie les lignes suspectes et envoie un joli rapport au contact "abuse" de l'IP identifiée.
#!/bin/bash
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
MAIL_HEAD="Hello,\n
\n\
I have received suspicious connections on port 25 from a machine located in your network.\n\
Here are the relevant postfix logs (all timestamps are relative to the `date +"%Z"` timezone):\n"
MAIL_FOOT="\nOne of your computers may have been infected, or it is possible that one of your clients is up to no good.\n\
Could you please look into it?\n\
\n\
Regards,\n\
[My Name]"
function check_exit_node {
dnsel_answer=`host \`echo $1 | perl -ne '/([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})/ && print $4 . "." . $3 . "." . $2 . "." . $1 . ".25.13.200.179.88.ip-port.exitlist.torproject.org"'\` | perl -ne '/has address ([0-9\.]+)/ && print $1'`
if [[ -z "$dnsel_answer" || "$dnsel_answer" == "127.0.0.1" ]]; then
return 0
else
return 1
fi
}
for IP in `grep -i "relay access" /var/log/zimbra.log.1 |perl -ne '/from [A-Za-z0-9.-]+\[([0-9.]+)\]/ && print $1 . "\n"' |sort -u`
do
if check_exit_node $IP
then
ABUSE_MAIL=`whois $IP |egrep -o "[A-Za-z0-9-]*abuse[A-Za-z0-9-]*@[A-Za-z0-9.-]+" |grep -iv "abuse@ripe.net"|sort -u`
if [[ -n "$ABUSE_MAIL" ]]
then
echo -e $MAIL_HEAD > mail.tmp
grep $IP /var/log/zimbra.log.1 >> mail.tmp
echo -e $MAIL_FOOT >> mail.tmp
# Add "-b my@mail.tld" to mutt's arguments if you want to recieve a blind carbon copy of the sent e-mails.
mutt -e 'set from=my@mail.tld realname="[My Name]" envelope_from="yes" user_agent="no"' -s "SMTP abuse from $IP" $ABUSE_MAIL < mail.tmp
fi
fi
done
rm -f mail.tmpPour que le script soit appelé tous les jours, il suffit d'éditer le script de rotation des logs de zimbra qui se trouve dans /etc/logrotate.d/zimbra. Si vous utilisez un autre front-end, le script à modifier sera différent mais l'esprit reste le même.
/var/log/zimbra.log {
daily
missingok
notifempty
create 0644 syslog adm
compress
postrotate
/usr/sbin/service rsyslog restart >/dev/null || true
su - zimbra -c "/opt/zimbra/bin/zmswatchctl restart" > /dev/null 2>&1 || true
# -------- EDIT THIS --------
/path/to/abuse.sh || true
# ---------------------------
endscript
}De cette manière, à chaque fois que les logs de Zimbra seront archivés, le script passera dessus juste avant qu'ils ne soient compressés. Pour finir, voici un simple exemple de mail généré :
Hello,
I have received suspicious connections on port 25 from a machine located in your network.
Here are the relevant postfix logs (all timestamps are relative to the CEST timezone):
Jan 31 19:27:02 atria postfix/smtpd[21972]: warning: hostname 88.247.78.4.static.ttnet.com.tr does not resolve to address 88.247.78.4: No address associated with hostname
Jan 31 19:27:02 atria postfix/smtpd[21972]: connect from unknown[88.247.78.4]
Jan 31 19:27:03 atria postfix/smtpd[21972]: NOQUEUE: filter: RCPT from unknown[88.247.78.4]: <test@live.com>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<test@live.com> to=<therichsheickc@yahoo.com> proto=ESMTP helo=<[192.168.2.33]>
Jan 31 19:27:03 atria postfix/smtpd[21972]: NOQUEUE: filter: RCPT from unknown[88.247.78.4]: <test@live.com>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10024; from=<test@live.com> to=<therichsheickc@yahoo.com> proto=ESMTP helo=<[192.168.2.33]>
Jan 31 19:27:03 atria postfix/smtpd[21972]: NOQUEUE: reject: RCPT from unknown[88.247.78.4]: 554 5.7.1 <therichsheickc@yahoo.com>: Relay access denied; from=<test@live.com> to=<therichsheickc@yahoo.com> proto=ESMTP helo=<[192.168.2.33]>
Jan 31 19:27:03 atria postfix/smtpd[21972]: disconnect from unknown[88.247.78.4]
Jan 31 19:30:23 atria postfix/anvil[21974]: statistics: max connection rate 1/60s for (smtp:88.247.78.4) at Jan 31 19:27:02
Jan 31 19:30:23 atria postfix/anvil[21974]: statistics: max connection count 1 for (smtp:88.247.78.4) at Jan 31 19:27:02
Jan 31 22:15:21 atria postfix/smtpd[3430]: warning: hostname 88.247.78.4.static.ttnet.com.tr does not resolve to address 88.247.78.4: No address associated with hostname
Jan 31 22:15:21 atria postfix/smtpd[3430]: connect from unknown[88.247.78.4]
Jan 31 22:15:21 atria postfix/smtpd[3430]: NOQUEUE: filter: RCPT from unknown[88.247.78.4]: <test@live.com>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<test@live.com> to=<therichsheickc@yahoo.com> proto=ESMTP helo=<[192.168.2.33]>
Jan 31 22:15:21 atria postfix/smtpd[3430]: NOQUEUE: filter: RCPT from unknown[88.247.78.4]: <test@live.com>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10024; from=<test@live.com> to=<therichsheickc@yahoo.com> proto=ESMTP helo=<[192.168.2.33]>
Jan 31 22:15:21 atria postfix/smtpd[3430]: NOQUEUE: reject: RCPT from unknown[88.247.78.4]: 554 5.7.1 <therichsheickc@yahoo.com>: Relay access denied; from=<test@live.com> to=<therichsheickc@yahoo.com> proto=ESMTP helo=<[192.168.2.33]>
Jan 31 22:15:22 atria postfix/smtpd[3430]: disconnect from unknown[88.247.78.4]
Jan 31 22:18:42 atria postfix/anvil[3432]: statistics: max connection rate 1/60s for (smtp:88.247.78.4) at Jan 31 22:15:21
Jan 31 22:18:42 atria postfix/anvil[3432]: statistics: max connection count 1 for (smtp:88.247.78.4) at Jan 31 22:15:21
Jan 31 22:43:40 atria postfix/smtpd[16701]: warning: hostname 88.247.78.4.static.ttnet.com.tr does not resolve to address 88.247.78.4: No address associated with hostname
Jan 31 22:43:40 atria postfix/smtpd[16701]: connect from unknown[88.247.78.4]
Jan 31 22:43:41 atria postfix/smtpd[16701]: NOQUEUE: filter: RCPT from unknown[88.247.78.4]: <test@live.com>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<test@live.com> to=<therichsheickc@yahoo.com> proto=ESMTP helo=<[192.168.2.33]>
Jan 31 22:43:41 atria postfix/smtpd[16701]: NOQUEUE: filter: RCPT from unknown[88.247.78.4]: <test@live.com>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10024; from=<test@live.com> to=<therichsheickc@yahoo.com> proto=ESMTP helo=<[192.168.2.33]>
Jan 31 22:43:41 atria postfix/smtpd[16701]: NOQUEUE: reject: RCPT from unknown[88.247.78.4]: 554 5.7.1 <therichsheickc@yahoo.com>: Relay access denied; from=<test@live.com> to=<therichsheickc@yahoo.com> proto=ESMTP helo=<[192.168.2.33]>
Jan 31 22:43:41 atria postfix/smtpd[16701]: disconnect from unknown[88.247.78.4]
Jan 31 22:47:01 atria postfix/anvil[16703]: statistics: max connection rate 1/60s for (smtp:88.247.78.4) at Jan 31 22:43:40
Jan 31 22:47:01 atria postfix/anvil[16703]: statistics: max connection count 1 for (smtp:88.247.78.4) at Jan 31 22:43:40
One of your computers may have been infected, or it is possible that one of your clients is up to no good.
Could you please look into it?
Regards,
IvanBref. Un petit truc qui ne coûte pas grand chose et qui, avec un volume suffisant de plaintes, pourrait bien faire perdre de précieuses machines aux spammeurs. N'hésitez pas à modifier le script pour qu'il réagisse à d'autre types de comportements indésirables !
EDIT du 16/05/2014 : Modification du corps du mail pour inclure le fuseau horaire de l'horodatage.
EDIT du 08/08/2015 : Les courriels d'abuse ne sont plus envoyés aux exit nodes Tor, car ils ne peuvent rien faire pour retrouver les expéditeurs des courriels et les plaintes ne font qu'irriter leurs hébergeurs.