A
spam-Attack Detection and Prevention System
created for ACS Internet, Inc.
User’s Guide
presented by
Royce Williams
April 24th, 2001
A
spam-Attack Detection and Prevention System
created for ACS Internet, Inc.
User’s Guide
presented by
Royce Williams
April 24th, 2001
Introduction 1
Installation 2
System Requirements 2
Setup Requirements 4
Customizing your Configuration file 6
Customizing Your Allow and Ignore Files 10
Installing Relaydata.pm 12
Relay Reporting 13
Sendmail Interaction 14
Administration and Operation 15
Command-line Switches 16
-a: Display Information about All Hosts 16
-c: Specifying a Different Configuration File 16
-d: Debugging 17
Debugging Levels 17
Using A Local spamradar.conf file 18
-e: Exporting The Database 18
-f: Reading From a Different Mail Log File 19
-i: Importing Delimited Data 19
-m: Manually Search for an Arbitrary String 20
-o: Manually Testing A Relay 20
-O: Testing All Suspicious Relays 21
-r: Generating Sendmail Reject Data 21
-s: Adjusting the Number of Log Lines to Analyze 21
-t: Showing All Suspicious Activity in the Raw Mail Log 22
-u: Adjusting the Username-Guessing Threshold 22
-v: Displaying Version Information 22
-w: Watch and Act 23
Troubleshooting 24
Deinstallation 25
References 26
Welcome to spamradar!
You are probably an administrator for a moderate-sized mail server, interested in filling the gap between initial spam attack and ORBS/RBL listing. Perhaps you are just interested in seeing some statistics about where your spam is coming from. Either way, you’ve come to the right place.
Hopefully, you will find spamradar to be a useful tool in your fight against spam. If you have any suggestions or questions, please send them to
spamradar@tycho.org
The most recent version of spamradar can always be found at
http://www.tycho.org/spamradar/
BerkeleyDB 1.x - Most sendmail installations have BerkeleyDB 1.x support. If you do not, you can download BerkeleyDB 1.x from http://www.sleepycat.com/.
DB_File - DB_File is a Perl module for writing to Berkeley DB 1.x databases. It is available from CPAN. The easiest way to download and install DB_File is to use the Perl CPAN interface. If you have used CPAN before on the system on which you are installing spamradar, you've probably already got DB_File. If you haven't used CPAN on that system before, you may need to consult http://www.cpan.org/ for more information on configuring CPAN and downloading DB_File. To get started, you can simply type
>
perl –MCPAN –e shell
rlytest.pl
– Chip Rosenthal’s rlytest.pl is what spamradar uses to perform its
open-relay tests. While rlytest.pl
can be downloaded from http://www.unicom.com/sw/rlytest/,
spamradar ships with a modified
version that is designed specifically for spamradar
to use. If you do not plan to use spamradar’s relay-testing features, you
do not need rlytest.pl. Place rlytest.pl
in the same directory as spamradar.
IMPORTANT NOTE: During testing of spamradar, it was noted that rlytest.pl
returns OS errorlevel 0 if passed invalid parameters – the same errorlevel that
is returned if a relay is tested and refuses to relay. Since this is an undesirable side effect, a
slightly modified version of rlytest.pl
is included with spamradar that addresses this issue by o returning OS
errorlevel 1 if rlytest.pl fails to
initialize. This version of rlytest
also avoids some side effects that come from guessing your hostname and domain
name by accepting them from the command line instead. spamradar will not work with the unmodified version of rlytest.pl.
There are a number of things to consider before installing spamradar.
spamradar needs a server on which to run. If you have a separate loghost that receives mail logging information, this is the ideal place for spamradar to be installed.
The standard area to place local
executables on Unix systems is usually /usr/local/bin. This is the recommended place for spamradar’s program file, spamradar.pl. Permissions on spamradar’s program file should be adjusted as appropriate for your
site. If spamradar is not running as root/Administrator/superuser, you will
need to make sure that all of spamradar’s
files are accessible by the user you choose.
You will need to decide where to
keep spamradar’s database
files. Since spamradar works closely with sendmail, placing spamradar’s database files in the same area that sendmail keeps its
own database files – usually /etc/mail –
is often a good idea.
spamradar has three configuration files that it will look for on
startup – spamradar.conf, spamradar.allow,
and spamradar.ignore. Basic versions of these files are included in the
distribution. By default, spamradar will look for these files in /etc. You will need to populate these files with
data specific to your site for spamradar to work properly. These files are explained later in more
detail.
If you will be using spamradar to test other servers to see if they are open relays, it is probably a good idea to put a notice saying so in the message that mailservers see when they connect to you. See the documentation for your mail server software for more information on how to do this.
You will need to set up two email addresses on your systems if you intend to test for open relays:
· Mailbox for relaytest destination. The most important part of relay testing is the end result – the evidence that the message was actually delivered. When spamradar tests a relay, the destination mailbox must be available to receive that message, and the only messages that are sent to that mailbox should be relay tests. It is recommended that the email address that you select be something relatively random, rather than “bob” or “relaytest” so as to make the account less likely to be abuse..
· Mailbox for relaytest source. This is the "From:"address of the relay test message. If someone manually replies to the message, it will be sent to this address. It is recommended this be the direct email address of an actual person, or (even better) a generic email address that is read regularly by an actual person.
Because the spamradar.conf
file needs to store the password used to pop test results, make sure that this
file is only readable by users authorized to do so.
spamradar keeps a number of important configuration parameters in
the spamradar.conf file. Some parameters are in spamradar.conf
as a matter of convenience – saving you the trouble of having to use the
corresponding command-line switches every time the program executes. Other parameters are required and must be
set to appropriate values for your installation before spamradar will run.
In general, if a parameter is in CAPS, this value is not modified or overrideable while spamradar is running. Parameters in lower case can be modified by command-line switches.
Parameter |
Default Value |
Description |
|
ACCESSFILE |
None – program will not run unless
set |
spamradar
needs to be aware of any relays that you are manually rejecting in sendmail’s
native access file (usually /etc/mail/access). |
|
ALLOWFILE |
/etc/spamradar.allow |
The full path to the list of hosts,
domains, and networks that are allowed to relay through your mailservers (or
are your own mailservers) and that should never be blocked. |
|
DBFILE |
None – program will not run unless
set |
Location of the DB file that spamradar uses to store testing
history and results. The recommended
location is the same area as your mail software’s other database files are
kept. |
|
debug |
1 |
The level of debugging information
that you want to see. See the
“Debugging” section later in this document for a list of possible values. |
|
hard_unknown_limit |
300 |
How many delivery attempts we’ll
tolerate, even if a relay is listed in the |
|
HOST |
None – program will not run unless
set |
This value should be set to the
fully-qualified domain name of the host on which spamradar is running. If
there are multiple network interfaces on the system, HOST should be set to
the interface from which most tests will be performed. You may need to examine the results of
open-relay tests to determine the best value. |
|
IGNOREFILE |
/etc/spamradar.ignore |
The full path to the list of hosts,
domains, and networks that shouldn’t be tested even though they might pop up
in spamradar’s reports for other
reasons (high volume, old listservers, etc.) |
|
lastlines |
8000 |
How many lines to pull from the end
of your mail log for analysis. Larger
values mean better accuracy and more spam detection. Smaller values mean more speed of
processing. |
|
LOCAL_CONTACT |
None – program will not run unless
set |
The email address of an actual person
that can act on messages received about spamradar’s
activities |
|
LOCAL_TEST_DOMAIN |
None – program will not run unless
set |
The primary administrative domain in
which spamradar is operating. |
|
log |
/var/log/mail.log |
The location of your mail log. |
|
logstring |
‘sendmail’ |
If the log that you are monitoring
also contains non-mail-delivery information, any log records that do not
contain this string will be ignored. |
|
MAILER |
/usr/lib/sendmail |
The location of your mailer
program. This is used to send reports
of open relays to ORBS or notify LOCAL_CONTACT of activities. |
|
MAX_FIRSTCHAR_RATIO |
2 |
Ratio of username guesses to unique
first letters we'll tolerate. For
example, if someone tries to send email to 30 unknown users, and half of the
usernames begin with "a" and the other half begin with "b",
this number is ( 30 / 2 ) = 15. The
bigger the number, the more likely it is to be spam attack. |
|
max_recipients |
200 |
This is the maximum number of
successful email deliveries that spamradar
will tolerate before reporting and/or testing the server. Be aware that this parameter is closely
related to the “lastlines” parameter and they need to be evaluated together
for best performance. |
|
MAX_TEST_AGE |
7 |
How long to wait before reevaluating
the status of a relay (in days).
During this time period, attempts to manually test this relay will
fail. |
|
MAX_UNKNOWN_RATIO |
.3 |
The tolerable percentage of
deliveries that are bad. If this
threshold is exceeded, spamradar
will be more likely to test the relay.
Valid values range from 0 (test everyone) to 1 (test no one). |
|
max_username_guesses |
2 |
This is the maximum number of
username guesses that spamradar
will tolerate before reporting and/or testing the server |
|
mylogfile |
/var/log/spamradar.log |
This is the location of spamradar's log file. It must be writeable by the user running spamradar. |
|
POPHOST |
‘pop’ |
The name of the pop server that has
the account that will receive test results.
If not defined, spamradar
will search any domains listed in your domain suffixes. |
|
POP_PWD |
None – program will not run unless
set |
The password to use to pop test results. Note that the |
|
PRG_EXEC_PATH |
'/usr/bin:/usr/sbin' |
This is the list of paths that are in
the program execution path. This
needs to be set for security purposes. |
|
REJECTDBFILE |
None – program will not run unless
set |
Location of the Berkeley DB file that
sendmail references to block relays that have tested as open. |
|
RLYTEST |
None – program will not run unless
set |
The full path to the location of the
rlytest.pl binary that spamradar will call to test a relay. |
|
show_all_hosts |
0 |
Boolean flag to indicate whether or
not we will display hosts that we would normally suppress in our output. |
|
TAIL |
/var/log/spamradar.log |
This is the location of your external
'tail' program. spamradar needs to use 'tail' to efficiently pull the last lines
from the mail log. |
|
TEST_RECIPIENT |
None – program will not run unless
set |
This value should be set to the
address of the mailbox you set up to be the recipient of relay tests. For maximum security, choose a name that
is difficult to guess. |
|
TEST_SENDER |
None – program will not run unless
set |
This value should be set to the
address of the mailbox you set up to be the recipient of relay tests. This
address will also receive error messages if the relay is rejected internally. |
|
TEST_SERVICE_ADDR |
None |
The email address to which relays can
be automatically submitted upon detection.
If this parameter is not set, open relays will not be submitted to
such a service. If spamradar is
configured to only report confirmed open relays (its default behavior), you
can submit those relays to relays@orbs.org
by using that address for this parameter.
Also, note that only services that accept relay nominations without an
actual attached spam will accept this type of submission. |
spamradar tests servers to determine whether or not they relay for
the domain that you specify. There are
some servers (such as your own mail servers, for example) that you want to be
able to relay by design. Therefore, spamradar needs a list of relays that
you do not want to test – the spamradar.allow
file.
There are also mail servers that
you probably don’t need to bother testing.
For example, AOL probably doesn’t have any open relays. The spamradar.ignore
file that ships with spamradar has a
number of these domains already listed.
Do not accept this list as a given, however. It is recommended that you use the reporting features of spamradar to learn what domains should
be placed in both the spamradar.ignore and
spamradar.ignore files.
Both files can contain IP
addresses, classful networks, domain names, and full hostnames (Unfortunately,
CIDR notation is not yet supported, but is planned). For example, your spamradar.allow
file might contain the following:
#
spamradar.allow file for myisp.int
#
# all the
servers in my mail farm are here
192.168.254
mydomain.com
mymailserver1.mydomain.com
mymailserver2.mydomain.com
10.0.0.4
The contents of your spamradar.ignore
file might look something like this:
#
spamradar.ignore file for myisp.int
#
# big
mail-producing domains listed here
aol.com
bigfoot.com
egroups.com
email.com
freelotto.com
geocities.com
lsoft.com
lyris.com
lyris.net
mail.com
msn.com
netscape.net
onemain.com
securityfocus.com
webtv.net
yahoo.com
zdlists.com
Make certain that all of your own
mail servers are listed in spamradar.allow. A good way to double-check this is to use spamradar’s –o
option to manually test one of your own mail servers for relaying. If properly configured, spamradar should refuse to perform the test:
>
spamradar.pl -o myserver.myisp.int
Skipping test
of myserver.myisp.int - it is allowed to relay.
If spamradar does not refuse to test the relay, use the –x
option to remove the relay from your testing database, fix the problem, and try
again.
To test an entry in your spamradar.ignore
file, perform a test similar to the one outlined above. Unlike relays found in the spamradar.allow
file, spamradar will not refuse to
manually test a relay in the spamradar.ignore
file — but it will issue a warning. If
you do not see that warning, adjust the contents of the file accordingly.
The method by which spamradar stores its data about relay
testing has been abstracted from the main code into a separate module called Relaydata.pm. Perl will need to be able to locate the Relaydata.pm
module when it runs. You can accomplish
this by either placing Relaydata.pm in the same
directory as the one that spamradar
runs in (not recommended, for housekeeping purposes), or by placing it in one
of the centralized directories that Perl has set aside for this purpose
(recommended).
The list of these directories is
stored in Perl’s @INC array at
runtime. To display the contents of the
@INC array from the command-line, you can use
a command like:
> perl -e
"print \"@INC\n\";"
Typical output on a stable Debian Linux machine will look something like this:
/usr/local/lib/perl/5.6.0
/usr/local/share/perl/5.6.0 /usr/lib/perl5 /usr/share/perl5 /usr/lib/perl/5.6.0
/usr/share/perl/5.6.0 /usr/lib/perl5/5.6/i386-linux /usr/lib/perl5/5.6
/usr/lib/perl5/5.005/i386-linux .
If you try to run spamradar without installing Relaydata.pm,
you will see an error something like the following:
Can't
locate Relaydata.pm in @INC (@INC contains: /usr/local/lib/perl/5.6.0
/usr/local/share/perl/5.6.0 /usr/lib/perl5 /usr/share/perl5 /usr/lib/perl/5.6.0
/usr/share/perl/5.6.0 /usr/lib/perl5/5.6/i386-linux /usr/lib/perl5/5.6
/usr/lib/perl5/5.005/i386-linux
Copying the Relaydata.pm
file to the appropriate directory – usually the last directory in the list
–will correct this. For more
information on proper placement of custom and/or site-specific Perl modules,
consult your Perl documentation.
If the TEST_SERVICE_ADDR parameter
is set in spamradar.conf, confirmed
open relays will be automatically submitted to that email address. Relays are listed one per line and are in
the format accepted by ORBS:
Relay: 192.168.254.1
Relay: 192.168.254.2
Relay: 192.168.254.3
If a relay is already marked as having been reported in the database, it will not be reported again.
If a relay is already listed in ORBS, it will not be submitted to ORBS. On spamradar’s next pass through the database, relays that are marked as blocked by ORBS will be removed. In this way, only those relays not yet listed by ORBS will remain in your local database.
You will need to make a small
addition to your sendmail.mc file if you
want sendmail to be able to use spamradar's
database. This change instructs
sendmail to check the spamradarreject.db file
and to reject connections from any host.
The changes required can be found in the spamradar.mc
file in the spamradar
distribution. They are also reproduced
here for reference.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
You will need to change the
“Kspamradar” line to match the path to your preferred location for the spamradarreject.db
file (though note that the “.db”
extension should not be included in this parameter). Also note that the “REJECT” line wraps onto the next line due to
limitations of the size of this document.
Every line in a .mc file should begin
with either a letter directive (in this case, K or R) or a comment. For more information on adding local
rulesets to your sendmail.mc file and
using m4 to produce the corresponding sendmail.cf
file, consult your sendmail documentation.
To run spamradar in its most basic mode, simply execute it:
>
spamradar.pl
Typical output will look something like the following:
>
spamradar.pl
ADVISORY mode
- will NOT modify database.
relay IP relay name sent tries guesses
-----------------------------------------------------------------------------------------
168.96.144.20 B idecom.unsj.edu.ar 1 4
td wgz vong
194.154.180.98 B 194.154.180.98 0 6 roes whitis
194.98.103.10 B 194.98.103.10 1 23 jeffryn jej
196.36.168.206 B 196.36.168.206 0 10 smoss wcore
200.198.51.162 B 200.198.51.162 0 4 allex awolf
203.194.162.80 B 203.194.162.80 1 4 pjb1 k-garn
203.231.6.193 B 203.231.6.193 28 50 mace madcat
210.200.168.129
B 210.200.168.129 13 25 stanton tru
211.192.178.50 B 211.192.178.50 6 29 wyldcld wiz
211.22.13.198 B 211.22.13.198 0 6 glydie glyd
211.47.153.130 B 211.47.153.130 1 7 cmcgrath he
211.47.57.3 B 211.47.57.3 3 7 robmck grv
211.72.162.226 B 211.72.162.226 1
7 robob whar
212.182.119.154
B upp.poczta.lublin.pl 0 3 gifcom joth
213.210.25.122 B 213.210.25.122 0 5 gobo rmurra
62.110.89.150 B 62.110.89.150 0 3 medge koerb
62.116.50.34 B 62.116.50.34 1 11 vangoe fhbr
62.172.163.98 B www.tarmachbm.co.uk 0 13
bdavidso di
62.2.115.95 B dclient115-95.hispeed.ch 0 7
asilva kjor
64.42.73.133 B great4.greatlifetoday.com 9 13
blh wolfs
NOTE: the last column (“guesses”) has been truncated to fit the page.
spamradar’s behavior can also be modified on the command line. Command-line parameters supersede most options in the configuration file.
|
-a |
consider all hosts, even
"allows" and already-blocked |
|
-c |
use alternate configuration file |
|
-d [0..5] |
increase debugging verbosity. default
is 1 |
|
-e |
export full database to STDOUT as CSV
text |
|
-f [filename] |
mail log to analyze. default is
/var/log/mail.log |
|
-h |
print a help message |
|
-I[filename] |
import data from colon-delimited file |
|
-m [string] |
manually search mail log for
"string" |
|
-o [host] |
test host for open relay (by name or
by IP) (results will be mailed to
TEST_RECIPIENT) |
|
-O |
test any suspicious relays found |
|
-r |
generate REJECT data for sendmail |
|
-s [integer] |
# of lines to pull from end of mail
log |
|
-t |
look for recent username-guessing
attempts |
|
-u [integer] |
# of username guesses to tolerate |
|
-v |
display program version information |
|
-w |
watch and test (rather than just
printing a report) |
|
-x |
manually remove a relay from the
database |
These switches are explained in greater detail below.
By default, spamradar only shows information about relays that it feels are
eligible for possible further testing.
If you would also like to see statistics and delivery information about
the relays in your ignore and allow
files, use the –a option.
NOTE: Use of the –a option automatically disables writes to the database and automatic testing. This is to prevent inadvertent testing and blocking of your own servers.
If you would like to use a configuration file different from the one in the default location, it can be specified with the –c option.
spamradar lets you adjust what level of detail you see while it operates.
spamradar has five levels of output, depending on what information is needed. Each level also includes the output of all previous levels.
|
0 |
At this level, only warnings and
errors are displayed. Level 0 is appropriate for running spamradar from cron or in some other automated fashion. |
|
1 |
This is spamradar's default verbosity level. At this level, the standard relay report is displayed. |
|
2 |
At Level 2, spamradar displays high-level diagnostic information. This includes information about extracting
records from the mail log, opening and closing the database, loading
configuration files, and relay testing.
Starting at this level, spamradar
also displays its current debugging level and displays summary information
about the data collected. During
development, this was referred to as “chatty” debugging. |
|
3 |
At this level, spamradar displays the handling of each record. As each record-parsing subroutine is
called, its name is displayed. Level
3 will generate roughly the same number of records as the number that you
have asked spamradar to analyze. |
|
4 |
At Level 4, spamradar shows the information extracted from each record at
this level. This information varies
with each record type. |
|
5 |
At this level, spamradar
also displays its comparison of relay IPs and hostnames to the list of relays
that are already blocked and should not be blocked. spamradar will also
show other miscellaneous low-level debugging information that is useful
during development. During
development, this was referred to as “mother-in-law grade” debugging. |
For example, if you run spamradar with the command-line option to increase debugging to level 2, and specify no other options, you will see output like:
>
spamradar.pl –d 2
Debugging is
set to level 2
ADVISORY mode - will NOT
modify database.
/var/log/spamradar.log
appears to be OK for writing.
Attempting to
create lockfile /etc/mail/spamradar.db.lock ... success.
Attempting to
lock lockfile /etc/mail/spamradar.db.lock ... success.
Opening
database /etc/mail/spamradar.db ... success.
Loading
relays we should never block from /etc/spamradar.allow ...
Loading
currently rejected hosts from /etc/mail/access ...
Pulling last
6000 lines from /var/log/mail.log ...
Extracting
data from log ...
ADVISORY mode
- will NOT modify database.
relay IP relay name sent tries guesses
-----------------------------------------------------------------------------------------
178.96.144.20 B idecom.unsj.edu.au 1 4
td wgz vong
194.154.180.98 B 194.154.180.98 0 6 roes whitis
194.98.103.10 B 194.98.103.10 1 23 jeffryn jej
196.36.158.206 B 196.36.168.206 0 10 smoss wcore
201.198.51.162 B 200.198.51.162 0 4 allex awolf
202.194.162.80 B 203.194.162.80 1 4 pjb1 k-garn
202.231.6.193 B 203.231.6.193 28
50 mace madcat
213.182.119.154
B upp.poczta.dublin.pl 0 3 gifcom joth
214.210.25.122 B 213.210.25.122 0 5 gobo rmurra
61.110.89.150 B 62.110.89.150 0 3 medge koerb
61.116.50.34 B 62.116.50.34 1 11 vangoe fhbr
61.172.163.98 B www.larmachbm.co.uk 0 13
bdavidso di
61.2.115.95 B dclient115-95.lospeed.ch 0 7
asilva kjor
64.42.78.133 B great4.greatlifetoday.org 9 13
blh wolfs
Closing
database /share/home/royce/bin/spamradar/dev/spamradar.db ... success.
Unlocking lockfile
/share/home/royce/bin/spamradar/dev/spamradar.db.lock ... success.
Removing
lockfile /share/home/royce/bin/spamradar/dev/spamradar.db.lock ... success.
spamradar.conf fileIf you need to experiment with the
settings in spamradar.conf, you can
create a separate spamradar.conf file and
keep it in a separate directory. As
long as you execute spamradar while
you are in that directory, the local spamradar.conf
will take precedence. spamradar first checks the current
directory and uses any local spamradar.conf
file that it finds there, and then falls back on the system-wide spamradar.conf
(usually located in /etc).
If you specify an alternate
configuration file with the –c option, the –c option takes precedence and any
local spamradar.conf file will be ignored.
The entire database can be exported
directly to your screen (STDOUT) with the –e
option:
>
spamradar.pl –e
12.10.196.183:12.10.196.183:2:987363786::0:2:2gFPBrfGuGOZ4z2gWEz1Qbna:987363786:
12.10.198.140:12.10.198.140:2:987363793::0:2:049100BImHDeSq9HhuI9pyTS:987363786:
12.2.115.69:mail.ltcps.com::::0:1::986790595:
12.25.228.194:194-228-25-12.user.darwin.net::::0:1::986812212:
12.26.165.85:mail.photoengravinginc.com::::0:1::986859758:
12.26.20.243:mail.cmgweb.net::::0:1::986859758:
12.26.72.99:12.26.72.99::::0:2::986812212:
12.27.232.252:12.27.232.252::::0:2::986824999:
12.27.37.235:12.27.37.235::::0:1::986800244:
12.27.8.2:12.27.8.2::::0:16::986787706:
12.29.40.67:12.29.40.67::::0:1::986868985:
The output is colon-delimited, and has this layout:
Relay_IP:reverse_DNS:relaystatus:testdate:testrecdate:testcounter:activity_counter:cookie
The data can be exported to a file by redirecting the output into a file on the command line.
For more information about the data format, see the document entitled spamradar Technical Notes.
spamradar can be instructed to process a log file other than the current file. For example, you might want to examine a log file from a previous day.
>
spamradar.pl -f /var/log/log_archives/mail.log.20010324
If you would like to import a list of relays from some other source, you can do so with the –i option.
IMPORTANT: While data is being imported, only the first field (the IP address of the relay) is validated. All other data is accepted as is. Perform your own data checks and make a backup copy of the existing database before importing. You may wish to export data with the –e option and study it before importing.
If something is happening to your mail servers, sometimes it is something that spamradar is not prepared to detect. Sometimes your interest in a particular relay is piqued when you see it in spamradar’s output, and you would like to examine it more closely. In these circumstances, it is sometimes handy to use the –m option to do the searching for you.
To manually test to see whether or not a relay is open, use the -o switch:
> spamradar.pl -o 192.168.254.1
Testing 192.168.254.1 for open relay
...
Connecting to 192.168.254.1 ...
<<< 220 spamhoundz.int SMTP
Server SLmail 5.0.0.4342 Ready
>>> HELO spamtest.tycho.org
<<< 250 spamhoundz.int
>>> MAIL
FROM:<relaytest@tycho.org>
<<< 250 OK
>>> RCPT
TO:<relaytest@tycho.org>
<<< 250 OK
>>> DATA
<<< 354 Start mail input; end
with <CRLF>.<CRLF>
>>> (message body)
<<< 250 OK, submitted and
queued. (6FB9F84C305411D5B55200400552AA80.SKM)
>>> QUIT
<<< 221 spamhoundz.int Service
closing transmission channel
rlytest.pl: relay accepted - final
response code 221
spamradar remembers the test results and will not retest the same server again by default:
> spamradar.pl -o 208.63.68.73
Skipped: 208.63.68.73 tested on Sun Jan
15 08:58:20 2001 (0 days ago) with status RELAY_ACCEPTED
NOTE: While testing both hostnames and IP addresses is supported, spamradar attempts to convert hostnames to IUP addresses before testing. If this fails, the test will not execute. Since the mapping of hostnames to IPs (“forward” DNS records) and the mapping of IPs to hostnames (“reverse” DNS records) are not guaranteed to match, testing with IP addresses exclusively is recommended.
To automatically test all relays
that show up in spamradar’s report,
use the –O option:
>
spamradar.pl –O -w
Note: testing multiple relays are
always written to the database, even if the –w
option is not specified.
If you make sendmail aware of spamradar by adding awareness of spamradarreject.db
to your sendmail.mc file, any
relay marked as an open relay can be automatically blocked. If you would like spamradar to simply regenerate spamradarreject.db
and then exit, use the –r option.
NOTE: The creation of the spamradarreject.db
file occurs automatically if you use the –w
option.
Sometimes it is useful to analyze a
chunk of mail logs that is different from the default. The larger the chunk, the more data spamradar has to work with, and the
more relays will show up in the report.
You can manually override the number of log lines to analyze with the –s
option, like so:
>
spamradar.pl –s 16000
To manually display all activity in
your mail log that indicates username guessing or invalid domains, use the >
spamradar.pl –t option:
>
spamradar.pl -t
All records corresponding to username guessing and From-name obfuscation (domains that do not exist or do not have MX records) are displayed.
One of spamradar’s
most important statistics is the number of deliveries attempted from a
particular relay to users that don’t exist (username “guesses”). If you would like to change the threshold at
which spamradar begins to consider
such guessing to be a concurrent indicator of spam attack, use the –u
option. This temporarily overrides the
value in spamradar.conf.
Information about the current
version of spamradar can be displayed with the –v
option:
>
spamradar.pl -v
spamradar.pl
v0.9.8a by Royce Williams royce@tycho.org
This switch turns spamradar from a reporting tool into an active agent of spam prevention. In this mode, after the standard statistics are collected and a report in generated, the following additional duties are performed:
· spamradar walks through the database. If a relay is marked as queued for retesting or has no previous test status, it is added to the pending test list.
· Relays that are more than MAX_TEST_AGE old are removed from the database if they are listed in ORBS.
· The TEST_RECIPIENT mailbox is popped to check for test results. If any results are not listed in TEST_SERVICE_ADDR, they are queued for reporting and then emailed to TEST_SERVICE_ADDR in chunks of 10.
·
The spamradarreject.db
file is updated, populated with all relays that are currently marked as
blockable in the database.
Here are some solutions to common problems and situations with spamradar.
·
If you find that spamradar is not recognizing some
types of records, you can use the –d
debugging option to display records that are currently being discarded. If you write an additional subroutine to
handle this record type and it may be of general use, contribution back to the
main source tree is encouraged.
·
If spamradar
is improperly configured and begins testing relays that are supposed to relay
for you, you may need to remove those relays manually with the –x
option and/or manually clear out any test results deposited in your
TEST_RECIPIENT’s inbox.
· In some circumstances, spamradar is sometimes unable to create initial copies of its databases. You may need to create empty files with appropriate permissions.
· If spamradar spontaneously erases the hard drive of the person in the next cubicle, this may be a bug or a feature – depending on your perspective.
·
More information about what spamradar is processing is written to spamradar.log. This information is more extensive than the
“chatty” level of debugging, but can be less confusing than the higher
debugging levels. Examining the log may
be useful when trying to track down why something is happening.
· You’ve got the source code. Feel free to change it to help track down your problem. If the change fits well into an existing debugging level, contribute it back to the tree.
Here are the steps required to manually remove spamradar from your system.
·
If you are using spamradarreject.db
support in your sendmail.mc file, remove
the spamradar-specific information
from the .mc file, regenerate your sendmail.cf
file, and reload sendmail.
·
Remove Relaydata.pm
from the appropriate directory in the Perl @INC path.
·
Remove spamradar.pl
from its directory (usually /usr/local)
·
Rremove spamradar.db
from its directory (usually /etc/mail)
·
Remove spamradar.conf
from its directory (usually /etc)
·
Remove spamradar.allow
from its directory (usually /etc)
·
Remove spamradar.ignore
from its directory (usually /etc)
A deinstallation script is planned for a future version of spamradar.
ORBS Open Relay Behaviour-modification System – http://www.orbs.org/
CPAN Comprehensive Perl Archive Network – http://www.cpan.org/
Perl http://www.perl.com/
rlytest.pl http://www.unicom.com/sw/rlytest/
TSI MAPS Transport Security Initiative - http://www.mail-abuse.org/tsi/
sendmail http://www.sendmail.org/