In order for this to work correctly you want to change your MTA settings so that an "X-ConnectingHost: aaa.bbb.ccc.ddd" header is added to the top of inbound mail. If you're using sendmail then you just add this to your sendmail.mc, generate a new sendmail.cf and restart the daemon:
HX-ConnectingHost: ${client_addr}
Also, since it's running on a *nix system (Linux in this case) it assumes lines fed to it by the MTA end with \n rather than \r\n.
Anyway, here's the script:
#!/usr/bin/perl -w
use IO::Socket::INET;
# If you need to authenticate for NNTP then: my $NEEDAUTH = 1; my ( $AUTHUSER, $AUTHPASS ) = ( "your NNTP login" , "your NNTP password" ); # Otherwise $NEEDAUTH = 0; my $NNTPSERVER = "your news server"; my $NEWSGROUP = "news.admin.net-abuse.sightings"; my $SENDER = "your name <e-mail address>"; # If a Followup-To: header is required, then: my $FUP2 = "news.admin.net-abuse.email";
# Used for debugging purposes: my $DEBUG = 0; my $NOSEND = 0;
print "Expecting headers...\n" if $DEBUG;
my $GOT_HEADERS = 0;
my $SUBJECT = "Subject: [email]\r\n"; my $CHOST = "";
my $SPAM = "";
while(<>) {
# Strip the mbox delimiter next if ( /^From / && !$GOT_HEADERS ); # Double a leading period so we don't unplug the stream prematurely s/^\./../; if ( (/^Subject: /i) && !$GOT_HEADERS ) { $SUBJECT = $_; $SUBJECT =~ s/^Subject:/Subject: [email] [$CHOST]/i; print $SUBJECT if $DEBUG; } if ( (/^X-ConnectingHost: [\d\.]+/) && !$GOT_HEADERS ) { ($CHOST = $_) =~ s/X-ConnectingHost: ([\d\.]+)\s*/$1/; print "Got connecting host: $CHOST\n" if $DEBUG; } if ( ( $_ eq "\n" ) && !$GOT_HEADERS ) { print "Got headers!\n" if ( $DEBUG ); $GOT_HEADERS = 1; } s/\x0A/\x0D\x0A/g; $SPAM .= $_;
}
my $HEADERS = "From: $SENDER\r Newsgroups: $NEWSGROUP\r ${SUBJECT}User-Agent: nanas.pl v0.1\r\n"; $HEADERS .= "Followup-To: $FUP2\r\n" if ( !($FUP2 eq "") );
if ( $NOSEND ) {
print "$HEADERS $SPAM\n";
}
else { my $SOCKET = IO::Socket::INET->new("${NNTPSERVER}:119"); die("Can't open connection to $NNTPSERVER on port 119.\n") unless ( $SOCKET ); print "Socket to ${NNTPSERVER}:119 open\n" if ( $DEBUG ); # expect the greeting my $GOTRESPONSE = 0; my $RESPONSE = ""; while ( 1 ) { $RESPONSE = <$SOCKET> ; last if ( $RESPONSE =~ m/^\d{3}\s/ );
}
print "Server response: $RESPONSE" if ( $DEBUG );
# If it wasn't a 2xx code then bail out die("Can't use this server. Response != 2xx\n") if ( $RESPONSE !~ m/^2/ );
# So far so good. Are we supposed to authenticate? if ( $NEEDAUTH ) { print "Authenticating...\n" if ( $DEBUG ); print "Sending AUTHINFO USER\n" if ( $DEBUG ); print $SOCKET "AUTHINFO USER ${AUTHUSER}\r\n"; $RESPONSE = <$SOCKET>; die("The server didn't understand our AUTHINFO USER\n") if ( $RESPONSE !~ m/^3/ ); print "Sending AUTHINFO PASS\n" if ( $DEBUG ); print $SOCKET "AUTHINFO PASS ${AUTHPASS}\r\n"; $RESPONSE = <$SOCKET>; die($RESPONSE) unless ( $RESPONSE =~ m/^2/ );
print "Sending POST command\n" if ( $DEBUG ); print $SOCKET "POST\r\n"; $RESPONSE = <$SOCKET>; die "POST command not understood.\n" unless ( $RESPONSE =~ m/^3/ );
print "Posting article...\n" if ( $DEBUG ); print $SOCKET "$HEADERS\r\n";
print $SOCKET "This is a piece of spam that hit a spam trap of mine.\r\n\r\n"; print $SOCKET "It has been forwarded to NANAS by an automated process.\r\n\r\n$SPAM\r\n.\r\n";
On Sun, 2005-04-24 at 21:13 +0200, Marcus Aurelius wrote: > Scripsit David Cary Hart:
> > Could I get a look at nanas.pl?
> In order for this to work correctly you want to change your MTA settings > so that an "X-ConnectingHost: aaa.bbb.ccc.ddd" header is added to the > top of inbound mail. If you're using sendmail then you just add this to > your sendmail.mc, generate a new sendmail.cf and restart the daemon:
Thanks. I'm thinking about posting hourly spamtrap hits to NANAS - not sure.
Marcus Aurelius wrote: > Scripsit David Cary Hart: >>Could I get a look at nanas.pl? > In order for this to work correctly you want to change your MTA settings > so that an "X-ConnectingHost: aaa.bbb.ccc.ddd" header is added to the > top of inbound mail. If you're using sendmail then you just add this to > your sendmail.mc, generate a new sendmail.cf and restart the daemon:
> HX-ConnectingHost: ${client_addr}
1) *DO NOT* modify sendmail.cf directly. Modify *.mc file used to generate sendmail.cf
LOCAL_CONFIG HX-ConnectingHost: ${client_addr}
2) Unless you modify sendmail *sources* (trivial one line patch) * sendmail will *KEEP* already present X-ConnectingHost header * sendmail will not append new header
> [...]
-- Andrzej [en:Andrew] Adam Filip a...@priv.onet.pl a...@xl.wp.pl
(I use the '-h' flag in order to strip everything but text/plain and text/html)
The resulting, stripped mail is then piped through another perl script which elides sensitive things like spam trap addresses. Once that's been done, what's left is piped through nanas.pl.
> 2) Unless you modify sendmail *sources* (trivial one line patch) > * sendmail will *KEEP* already present X-ConnectingHost header > * sendmail will not append new header
Good point. Which source file and which line? (Using 8.13.3 here).
Marcus Aurelius wrote: > Scripsit Andrzej Adam Filip: >>>If you're using sendmail then you just add this to your sendmail.mc, >>>generate a new sendmail.cf and restart the daemon:
>>>HX-ConnectingHost: ${client_addr}
>>1) *DO NOT* modify sendmail.cf directly. >>Modify *.mc file used to generate sendmail.cf
> Where did I tell anyone to modify their sendmail.cf directly? Re-read > what I wrote (quoted above for your convenience).
I was "partially right" (read: wrong) BUT "extra magic line" in *.mc file is recommended (but not strictly necessary for "H..." lines).
>>2) Unless you modify sendmail *sources* (trivial one line patch) >>* sendmail will *KEEP* already present X-ConnectingHost header >>* sendmail will not append new header
> Good point. Which source file and which line? (Using 8.13.3 here).
sendmail/conf.c file in "define headers flags" section: "x-connectinghost", H_ACHECK,
You may also ask sendmail.org to put "the fix" in next sendmail release (the current one is 8.13.4).
-- Andrzej [en:Andrew] Adam Filip a...@priv.onet.pl a...@xl.wp.pl
> (I use the '-h' flag in order to strip everything but text/plain and > text/html)
> The resulting, stripped mail is then piped through another perl script > which elides sensitive things like spam trap addresses. Once that's been > done, what's left is piped through nanas.pl.
We don't receive anything that hits the traps. It gets discarded (and thereafter rejected). I maintain a web-viewable list separate from the RBLDNSD zone file. The format is:
Sun Apr 24 15:15:19 EDT 2005 Trap 66.243.64.204 {set204.homerail.com} Sun Apr 24 15:16:26 EDT 2005 Trap 82.158.239.91 {91.red-82-158-239.user.auna.net} Sun Apr 24 15:17:32 EDT 2005 Manual 66.98.182.31 ns1.nhive.com. Sun Apr 24 15:18:51 EDT 2005 Trap 84.99.170.32 {32.170.99-84.rev.gaoland.net} Sun Apr 24 15:26:23 EDT 2005 Trap 84.101.99.247 {247.99.101-84.rev.gaoland.net} Sun Apr 24 15:34:29 EDT 2005 Trap 203.177.140.46 {unknown} Sun Apr 24 15:48:52 EDT 2005 Trap 24.13.180.211 {c-24-13-180-211.hsd1.il.comcast.net} Sun Apr 24 15:49:08 EDT 2005 Trap 82.227.32.73 {stgebois-1-82-227-32-73.fbx.proxad.net} Sun Apr 24 16:02:39 EDT 2005 Dynamic 68.161.205 {pool-68-161-205-145.ny325.east.verizon.net} Sun Apr 24 16:02:44 EDT 2005 Trap 68.161.205.145 {pool-68-161-205-145.ny325.east.verizon.net} Sun Apr 24 16:13:23 EDT 2005 Trap 82.23.120.218 {cpc1-belc1-4-1-cust218.belf.cable.ntl.com} Sun Apr 24 16:15:40 EDT 2005 Dynamic 217.172.231 {host-217-172-231-100.gdynia.mm.pl} Sun Apr 24 16:15:43 EDT 2005 Trap 217.172.231.100 {host-217-172-231-100.gdynia.mm.pl} Sun Apr 24 16:17:43 EDT 2005 Asia 61.180.80.136 {unknown}
Marcus Aurelius wrote: > Scripsit David Cary Hart: >>Could I get a look at nanas.pl?
> In order for this to work correctly you want to change your MTA settings > so that an "X-ConnectingHost: aaa.bbb.ccc.ddd" header is added to the > top of inbound mail. If you're using sendmail then you just add this to > your sendmail.mc, generate a new sendmail.cf and restart the daemon:
> HX-ConnectingHost: ${client_addr}
Quite a few people use milters to integrate AS and AV checks with sendmail *DURING* smtp session. Making MIMEDefang milter (popular choice) add the header would be simple (MIMEDefang uses perl filter script).
> We don't receive anything that hits the traps. It gets discarded (and > thereafter rejected). I maintain a web-viewable list separate from the > RBLDNSD zone file. The format is:
> Sun Apr 24 15:15:19 EDT 2005 Trap 66.243.64.204 {set204.homerail.com} > Sun Apr 24 15:16:26 EDT 2005 Trap 82.158.239.91 {91.red-82-158-239.user.auna.net} > Sun Apr 24 15:17:32 EDT 2005 Manual 66.98.182.31 ns1.nhive.com. > Sun Apr 24 15:18:51 EDT 2005 Trap 84.99.170.32 {32.170.99-84.rev.gaoland.net} > Sun Apr 24 15:26:23 EDT 2005 Trap 84.101.99.247 {247.99.101-84.rev.gaoland.net} > Sun Apr 24 15:34:29 EDT 2005 Trap 203.177.140.46 {unknown} > Sun Apr 24 15:48:52 EDT 2005 Trap 24.13.180.211 {c-24-13-180-211.hsd1.il.comcast.net} > Sun Apr 24 15:49:08 EDT 2005 Trap 82.227.32.73 {stgebois-1-82-227-32-73.fbx.proxad.net} > Sun Apr 24 16:02:39 EDT 2005 Dynamic 68.161.205 {pool-68-161-205-145.ny325.east.verizon.net} > Sun Apr 24 16:02:44 EDT 2005 Trap 68.161.205.145 {pool-68-161-205-145.ny325.east.verizon.net} > Sun Apr 24 16:13:23 EDT 2005 Trap 82.23.120.218 {cpc1-belc1-4-1-cust218.belf.cable.ntl.com} > Sun Apr 24 16:15:40 EDT 2005 Dynamic 217.172.231 {host-217-172-231-100.gdynia.mm.pl} > Sun Apr 24 16:15:43 EDT 2005 Trap 217.172.231.100 {host-217-172-231-100.gdynia.mm.pl} > Sun Apr 24 16:17:43 EDT 2005 Asia 61.180.80.136 {unknown}
> Would it be helpful to post the adds hourly in this format?
news.admin.net-abuse.bulletins might be more appropriate. Take a look at SORBS submissions there.
I personally view .sightings as individual spam documents and .bulletins being lists of incidents, the latter typically being more readily parseable and used in automation.
> Why do not use use Net::NNTP module for posting usenet messages?
a) I'm not sure I have that module.
b) Checking and hunting it down would take more time that implementing the NNTP protocol myself. I've written enough similar stuff in C and Pascal not to be bothered in the least if there's no ready-made class to implement it for me.
> NANAS newsgroup is moderated, send email directly to moderator bot
Considering some of the postings I send get rejected because I have too many concurrent connections to the NNTP server, I probably will switch to e-mail at some point in the near future.
Marcus Aurelius wrote: > Scripsit Andrzej Adam Filip: >>Why do not use use Net::NNTP module for posting usenet messages? > a) I'm not sure I have that module.
> b) Checking and hunting it down would take more time that implementing > the NNTP protocol myself. I've written enough similar stuff in C and > Pascal not to be bothered in the least if there's no ready-made class to > implement it for me.
You can do what you consider the best but I personally preferer using "more general purpose" modules, (IMHO) they are better tested.
>>NANAS newsgroup is moderated, send email directly to moderator bot
> Considering some of the postings I send get rejected because I have too > many concurrent connections to the NNTP server, I probably will switch > to e-mail at some point in the near future.
If you send *many* reports and the script is executed from cron then make your script send multiple reports via single SMTP connection to bot's MTA. Take care about bot's MTA load too :-)
-- Andrzej [en:Andrew] Adam Filip a...@priv.onet.pl a...@xl.wp.pl
In message <slrnd6pd8v.3ba.nob...@squash.a.spammer.today> Marcus
Aurelius <nob...@nowhere.invalid> wrote: >Scripsit Andrzej Adam Filip:
>> NANAS newsgroup is moderated, send email directly to moderator bot
>Considering some of the postings I send get rejected because I have too >many concurrent connections to the NNTP server, I probably will switch >to e-mail at some point in the near future.
huh?
At most, this is a problem with your ISP (or whoever provides your NNTP server), NANAS' bot cannot know how many connections you have established at any given time.
-- Some people are like Slinkies... You can't help but smile when you see one tumble down the stairs.
> At most, this is a problem with your ISP (or whoever provides your NNTP > server), NANAS' bot cannot know how many connections you have > established at any given time.
I may have phrased that awkwardly.
SuperNews allows me 4 concurrent connections. If I start processing a 5th spam in parallel because the amount being sent to me is so high, then nanas.pl will fail because I can't open a 5th connection to SuperNews.
The answer would be to serialize everything and do it all periodically with a single connection but I do have things to get on with in life other than writing stuff to process spam. It is, however, down in my TODO list.
On Mon, 2005-04-25 at 11:15 +0200, Marcus Aurelius wrote: > Scripsit Andrzej Adam Filip:
> > Why do not use use Net::NNTP module for posting usenet messages?
> a) I'm not sure I have that module.
> b) Checking and hunting it down would take more time that implementing > the NNTP protocol myself. I've written enough similar stuff in C and > Pascal not to be bothered in the least if there's no ready-made class to > implement it for me.
Marcus Aurelius wrote: > Andrzej Adam Filip wrote: >[...] >>2) Unless you modify sendmail *sources* (trivial one line patch) >>* sendmail will *KEEP* already present X-ConnectingHost header >>* sendmail will not append new header
> Good point. Which source file and which line? (Using 8.13.3 here).
Today I noticed "X-ConnectingHost: 127.0.0.1" header in one of spam messages I received.
-- Andrzej [en:Andrew] Adam Filip a...@priv.onet.pl a...@xl.wp.pl
>>At most, this is a problem with your ISP (or whoever provides your NNTP >>server), NANAS' bot cannot know how many connections you have >>established at any given time.
>I may have phrased that awkwardly.
>SuperNews allows me 4 concurrent connections. If I start processing a >5th spam in parallel because the amount being sent to me is so high, >then nanas.pl will fail because I can't open a 5th connection to >SuperNews.
>The answer would be to serialize everything and do it all periodically >with a single connection but I do have things to get on with in life >other than writing stuff to process spam. It is, however, down in my >TODO list.
Seems like a problem that could grow.
Any way to rewrite the bot to process by batch instead of one at a time? That way you send a bunch as one posting.
Quaestor wrote: > Marcus Aurelius wrote: >[...] >> The answer would be to serialize everything and do it all periodically >> with a single connection but I do have things to get on with in life >> other than writing stuff to process spam. It is, however, down in my >> TODO list.
> Seems like a problem that could grow.
> Any way to rewrite the bot to process by batch instead of one at a > time? That way you send a bunch as one posting.
BTW the NANAS bot accepts messages in hourly batches, sending reports "at once" gives no gain.
-- Andrzej [en:Andrew] Adam Filip a...@priv.onet.pl a...@xl.wp.pl
Marcus Aurelius wrote: > Scripsit David Cary Hart:
>>Could I get a look at nanas.pl?
(snip)
> Anyway, here's the script:
> #!/usr/bin/perl -w
(snipage of script that shouldn't be used)
http://www.killfile.org/~tskirvin/faqs/nanas.html <BLOCKQUOTE> Q: I can forward all... A: Stop right there. I'd rather you didn't send me every email that comes to a certain address; this tends to lead fairly rapidly to an effective mailbomb, with hundreds of megabytes of forwarded traffic blocking both the network pipe and the local resources of the moderation box. As such, I have taken a fairly hard-line approach to the problem: if any problems with the volume of your posts come to my notice, I will immediately stop accepting your submissions, probably without notice. You have been warned. </BLOCKQUOTE>
Come on... It isn't that hard to find the FAQ for sightings.
On Mon, 2005-04-25 at 17:49 -0500, Larry M. Smith wrote: > Marcus Aurelius wrote: > > Scripsit David Cary Hart:
> >>Could I get a look at nanas.pl?
> (snip)
> > Anyway, here's the script:
> > #!/usr/bin/perl -w
> (snipage of script that shouldn't be used)
> http://www.killfile.org/~tskirvin/faqs/nanas.html > <BLOCKQUOTE> > Q: I can forward all... > A: Stop right there. I'd rather you didn't send me every email > that comes to a certain address; this tends to lead fairly > rapidly to an effective mailbomb, with hundreds of megabytes > of forwarded traffic blocking both the network pipe and the > local resources of the moderation box. As such, I have taken > a fairly hard-line approach to the problem: if any problems > with the volume of your posts come to my notice, I will > immediately stop accepting your submissions, probably without > notice. You have been warned. > </BLOCKQUOTE>
