- Timestamp:
- 01/13/10 17:40:03 (15 years ago)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/dnsbl/extract-data
r12 r13 87 87 my %urilist; 88 88 89 for (my $i=0; $i<$msgcount; $i++) { 89 # put together an array of netblocks we won't/can't list for various reasons 90 my @dontlistme = ( 91 # Hotmail/Windows Live Mail 92 NetAddr::IP->new("65.52.0.0/14"), 93 94 # AOL - note only some IPs show mail-ish rDNS 95 #IP-Network 205.188.0.0/16 96 #IP-Network 64.12.0.0/16 97 NetAddr::IP->new("205.188.105.140/29"), 98 NetAddr::IP->new("205.188.169.196/29"), 99 NetAddr::IP->new("205.188.249.128/29"), 100 NetAddr::IP->new("205.188.249.64/29"), 101 102 # Google/GMail 103 NetAddr::IP->new("209.85.128.0/17"), 104 NetAddr::IP->new("72.14.192.0/18"), 105 106 # Yahoo!/Inktomi 107 NetAddr::IP->new("98.136.0.0/14"), 108 NetAddr::IP->new("66.196.64.0/18"), 109 NetAddr::IP->new("67.195.0.0/16"), 110 NetAddr::IP->new("69.147.64.0/18"), 111 NetAddr::IP->new("206.190.32.0/18"), 112 NetAddr::IP->new("68.142.192.0/18"), 113 NetAddr::IP->new("216.252.96.0/19"), 114 NetAddr::IP->new("124.83.128.0/17"), 115 NetAddr::IP->new("217.146.184.0/21"), 116 NetAddr::IP->new("124.108.96.0/20"), 117 NetAddr::IP->new("76.13.0.0/16"), 118 NetAddr::IP->new("68.180.128.0/17"), 119 NetAddr::IP->new("209.191.64.0/18"), 120 NetAddr::IP->new("212.82.104.0/21"), 121 NetAddr::IP->new("66.163.160.0/19"), 122 123 # Bell Canada - note only some IPs show mail-ish rDNS 124 #IP-Network 209.226.0.0/16 125 #IP-Network 207.236.0.0/16 126 NetAddr::IP->new("209.226.175.0/24"), 127 NetAddr::IP->new("207.236.237.0/26"), 128 129 # Craigslist 130 #IP-Network 208.82.236.0/22 131 NetAddr::IP->new("208.82.236.0/22"), 132 133 # Apple.com/mac.com - note only some IPs show mail-ish rDNS 134 #IP-Network 17.0.0.0/8 135 # asmtpout0(11-30).mac.com 136 # 17.148.16. 011 -> 86 030 -> 105 137 NetAddr::IP->new("17.148.16.64/26"), 138 139 # Vodafone - note only some IPs show mail-ish rDNS 140 #route: 212.183.128.0/19 141 NetAddr::IP->new("212.183.156.224/29"), 142 143 # Eastlink (formerly Persona [Sudbury etc]) - only one IP observed with mail-ish rDNS 144 #IP-Network 24.222.0.0/16 145 NetAddr::IP->new("24.222.0.30"), 146 147 # Cogeco - only a few IPs observed with mail-ish rDNS 148 #IP-Network 216.221.64.0/19 149 NetAddr::IP->new("216.221.81.192"), 150 NetAddr::IP->new("216.221.81.96/30"), 151 152 # UAlberta - only one IP observed with mail-ish rDNS 153 #IP-Network 129.128.0.0/16 154 NetAddr::IP->new("129.128.5.19"), 155 ); # done def for @dontlistme 156 157 MSG: for (my $i=0; $i<$msgcount; $i++) { 90 158 my $msg = $imap->message_string($msgs[$i]); 91 159 … … 135 203 my @untrusted = @{$stmsg->{metadata}->{relays_untrusted}}; 136 204 137 my $sa_intip = new NetAddr::IP $untrusted[0]->{ip}; 138 139 140 my %headerlist = %{$imap->parse_headers($msgs[$i], "Received")}; 141 my $recvnum = 0; 142 my $recv = $headerlist{'Received'}[$recvnum]; 143 next if !$recv; 144 145 my $relayip; 146 147 #Received: from mail.company.com [ip.add.re.ss] 148 # by localhost with POP3 (fetchmail-6.2.5) 149 # for kdeugau@localhost (single-drop); Fri, 15 May 2009 11:45:10 -0400 (EDT) 150 if ($recv =~ /from mail\.company\.com \[ip\.add\.re\.ss\]\s*by localhost with POP3 \(fetchmail/) { 151 $recvnum += 1; 152 $recv = $headerlist{'Received'}[$recvnum]; 153 } 154 155 if ($recv =~ /^by mx\d\.company\.com \(Postfix, from userid \d+\)/) { 156 $recvnum++; 157 $recv = $headerlist{'Received'}[$recvnum]; 158 } 159 160 # le sigh. gotta bypass a message if we can't parse the headers. Outlook 161 # does an admirable job of mangling things for us. >:( 162 if ($recv !~ /by mx\d\.company\.com \(Postfix\)/) { 163 print "phtui: $recv\n"; 164 next; 165 } 166 167 ##fixme 168 # le sigh. skip IP extraction on tagged spam reported as nonspam, since the real spam is a layer deeper. 169 next if $recv =~ /from localhost by mfs\d with SpamAssassin/; 170 171 # Postini puts the "real" received: header one layer further out - SA is configured to compensate for this so we do too 172 #IP-Network 64.18.0.0/20 173 #IP-Network-Block 064.018.000.000 - 064.018.015.255 174 #Org-Name Postini, Inc. 175 if ($recv =~ /\[64\.18\.(?:[0-9]|1[0-5])\.\d+]\) by mx\d\.company\.com/) { 176 $recv = $recv = $headerlist{'Received'}[++$recvnum]; 177 #Received: from source ([208.95.48.65]) (using TLSv1) by 178 # exprod5mx230.postini.com ([64.18.4.10]) with SMTP; Fri, 10 Jul 179 my ($tmprelayip) = ($recv =~ /from source \(\[([\d.]+)\]\) (?:\(using TLSv1\) )?by (?:exprod\dm[xo]b?|chipmx)\d+\.postini\.com/); 180 $relayip = new NetAddr::IP $tmprelayip; 181 182 } elsif ($recv =~ /\[137\.82\.45\.(?:[0-9]|1[0-5])\]\) by mx\d\.company\.com/) { 183 # Customer with (spam)forwarding from UBC - enough to justify this code 184 #IP-Network 137.82.0.0/16 185 #IP-Network-Block 137.082.000.000 - 137.082.255.255 186 #Org-Name University of British Columbia 187 # only 137.82.45.0/28 or so seem to be outbound relays (duh) 188 $recv = $recv = $headerlist{'Received'}[++$recvnum]; 189 #Received: from bcnbib.gov.ar (200-42-22-14.dup.prima.net.ar [200.42.22.14]) 190 # by mr4.mail-relay.ubc.ca (Postfix) 191 my ($tmprelayip) = ($recv =~ /from \[?[a-zA-Z0-9._-]+\]? \([a-zA-Z0-9._-]+ \[([\d+.]+)\]\) by mr\d\.mail-relay\.ubc\.ca \(Postfix\)/); 192 $relayip = new NetAddr::IP $tmprelayip; 193 194 } else { 195 my ($tmprelayip) = ($recv =~ /\[([\d+.]+)\]\) by mx\d\.company\.com/); 196 $relayip = new NetAddr::IP $tmprelayip; 197 } 198 199 print "eep, no ip from manual extraction\n$recv\n" if !$relayip; 200 print "SA vs manual extraction, relay IP mismatch: $sa_intip vs $relayip on\n\t$recv\n" if $sa_intip != $relayip; 201 202 # Hotmail/Windows Live Mail may originate or relay spam, but we can't blacklist them 203 #Received: from blu0-omc4-s23.blu0.hotmail.com (blu0-omc4-s23.blu0.hotmail.com 204 # [65.55.111.162]) by mx2.company.com (Postfix) 205 # next if $recv =~ /from (?:bay|blu|col|snt)0-omc\d+-s\d+\.(?:bay|blu|col|snt)0\.hotmail\.com 206 \((?:bay|blu|col|snt)0-omc\d+-s\d+\.(?:bay|blu|col|snt)0\.hotmail\.com \[65.5[2345].\d+\.\d+\]\) by mx\d\.company\.com/; 207 #IP-Network 65.52.0.0/14 208 #IP-Network-Block 065.052.000.000 - 065.055.255.255 209 #Org-Name Microsoft Corp 210 my $hotmail1 = new NetAddr::IP "65.52.0.0/14"; 211 print "$.: $recv\n" if !defined ($relayip); 212 next if $relayip->within($hotmail1); 213 214 # AOL may originate or relay spam, but we can't blacklist them 215 #Received: from omr-m33.mx.aol.com (omr-m33.mx.aol.com [64.12.143.145]) by 216 # mx1.company.com (Postfix) with ESMTP id 7B9431C3255 for <webmaster@tyenet.com>; 217 next if $recv =~ /from (?:omr|im[or])-[dm][ab]?\d+\.mx\.aol\.com \((?:omr|im[or])-[dm][ba]?\d+\.mx\.aol\.com \[[\d.]+\]\) by mx\d\.company\.com/; 218 219 # Google may relay spam, GMail may originate it, but we can't blacklist them. 220 #IP-Network 209.85.128.0/17 221 #IP-Network-Block 209.085.128.000 - 209.085.255.255 222 #Org-Name Google Inc. 223 next if $recv =~ /\[209\.85\.(?:1(?:2[89]|[3-9]\d)|2(?:[0-4]\d|5[0-5]))\.\d+\]\) by mx\d\.company\.com/; 224 #OrgName: Google Inc. 225 #NetRange: 72.14.192.0 - 72.14.255.255 226 #CIDR: 72.14.192.0/18 227 next if $recv =~ /\[72\.14\.(?:19[2-9]|2(?:[0-4]\d|5[0-5]))\.\d+\]\) by mx\d\.company\.com/; 228 229 # Yahoo! may ... yadda yadda yadda (geeze they've got a whack of netblocks for mail...) 230 #IP-Network 98.136.0.0/14 231 my $yahoo1 = new NetAddr::IP "98.136.0.0/14"; 232 next if $relayip->within($yahoo1); 233 #IP-Network 66.196.64.0/18 234 #Org-Name Inktomi Corporation 235 # Inktomi ~~ Yahoo! 236 my $yahoo2 = new NetAddr::IP "66.196.64.0/18"; 237 next if $relayip->within($yahoo2); 238 #IP-Network 67.195.0.0/16 239 my $yahoo3 = new NetAddr::IP "67.195.0.0/16"; 240 next if $relayip->within($yahoo3); 241 #IP-Network 69.147.64.0/18 242 my $yahoo4 = new NetAddr::IP "69.147.64.0/18"; 243 next if $relayip->within($yahoo4); 244 #IP-Network 206.190.32.0/19 245 #Org-Name Yahoo! Broadcast Services, Inc. 246 my $yahoo5 = new NetAddr::IP "206.190.32.0/18"; 247 next if $relayip->within($yahoo5); 248 #IP-Network 68.142.192.0/18 249 #Org-Name Inktomi Corporation 250 my $yahoo6 = new NetAddr::IP "68.142.192.0/18"; 251 next if $relayip->within($yahoo6); 252 #IP-Network 216.252.96.0/19 253 my $yahoo7 = new NetAddr::IP "216.252.96.0/19"; 254 next if $relayip->within($yahoo7); 255 #inetnum: 124.83.128.0 - 124.83.255.255 256 my $yahoo8 = new NetAddr::IP "124.83.128.0/17"; 257 next if $relayip->within($yahoo8); 258 #inetnum: 217.146.184.0 - 217.146.191.47 259 my $yahoo9 = new NetAddr::IP "217.146.184.0/21"; 260 next if $relayip->within($yahoo9); 261 #inetnum: 124.108.96.0 - 124.108.111.255 262 my $yahoo10 = new NetAddr::IP "124.108.96.0/20"; 263 next if $relayip->within($yahoo10); 264 #IP-Network 76.13.0.0/16 265 my $yahoo11 = new NetAddr::IP "76.13.0.0/16"; 266 next if $relayip->within($yahoo11); 267 #IP-Network 68.180.128.0/17 268 my $yahoo12 = new NetAddr::IP "68.180.128.0/17"; 269 next if $relayip->within($yahoo12); 270 #IP-Network 209.191.64.0/18 271 my $yahoo13 = new NetAddr::IP "209.191.64.0/18"; 272 next if $relayip->within($yahoo13); 273 #route: 212.82.104.0/21 274 my $yahoo14 = new NetAddr::IP "212.82.104.0/21"; 275 next if $relayip->within($yahoo14); 276 #IP-Network 66.163.160.0/19 277 my $yahoo15 = new NetAddr::IP "66.163.160.0/19"; 278 next if $relayip->within($yahoo15); 279 280 # and the same goes for Bell Canada. *le sigh* 281 #IP-Network 209.226.0.0/16 282 #IP-Network-Block 209.226.000.000 - 209.226.255.255 283 #Org-Name Bell Canada 284 #Received: from tomts35-srv.bellnexxia.net (tomts35.bellnexxia.net 285 # [209.226.175.109]) by mx2.company.com (Postfix) with ESMTP id B415C16752D for 286 # <user@compnay.com>; Sat, 4 Jul 2009 10:48:24 -0400 (EDT) 287 # hmm. tomts\d(-srv)?.bellnexxia.net only seem to be in .175/24. we'll just drop those ones for now... 288 # especially since there appear to be hosted customers etc in the same ARIN allocation above. 289 my $bell1 = new NetAddr::IP "209.226.175.0/24"; 290 next if $relayip->within($bell1); 291 #IP-Network 207.236.0.0/16 292 # only listing a subsection - rDNS hosts look like Bell SMTP hardware 293 my $bell2 = new NetAddr::IP "207.236.237.0/26"; 294 next if $relayip->within($bell2); 295 296 # ... and your little dog too! 297 #IP-Network 208.82.236.0/22 298 #IP-Network-Block 208.082.236.000 - 208.082.239.255 299 #Org-Name Craigslist, Inc. 300 my $craigslist1 = new NetAddr::IP "208.82.236.0/22"; 301 next if $relayip->within($craigslist1); 302 303 # not gonna whitelist the whole enchilada... just the asmtpout0(11-30).mac.com 304 # 17.148.16 011 -> 86 030 -> 105 305 #IP-Network 17.0.0.0/8 306 #IP-Network-Block 017.000.000.000 - 017.255.255.255 307 #Org-Name Apple Computer, Inc. 308 my $apple1 = new NetAddr::IP "17.148.16.64/26"; 309 next if $relayip->within($apple1); 310 311 # and Vodafone... 312 # 212.183.156.227 (.227 through .230 have server rdns) 313 #route: 212.183.128.0/19 314 #descr: Vodafone UK 315 #inetnum: 212.183.156.0 - 212.183.156.255 316 #descr: Vodafone Limited 317 my $voda1 = new NetAddr::IP "212.183.156.224/29"; 318 next if $relayip->within($voda1); 319 320 # ooohhh, Eastlink wants to join the party 321 #24.222.0.30 322 #IP-Network 24.222.0.0/16 323 #IP-Network-Block 024.222.000.000 - 024.222.255.255 324 #Org-Name Bragg Communications Incorporated 325 my $eastlink1 = new NetAddr::IP "24.222.0.30"; 326 next if $relayip->within($eastlink1); 327 328 # and now Cogeco 329 #216.221.81.192 330 #IP-Network 216.221.64.0/19 331 #IP-Network-Block 216.221.064.000 - 216.221.095.255 332 #Org-Name Cogeco Telecom 333 # only ignoring systems-looking IPs or blocks with mostly systems-looking IPs 334 my $cogeco1 = new NetAddr::IP "216.221.81.192"; 335 next if $relayip->within($cogeco1); 336 my $cogeco2 = new NetAddr::IP "216.221.81.96/30"; 337 next if $relayip->within($cogeco2); 338 339 # and UAlberta 340 #129.128.5.19 341 #IP-Network 129.128.0.0/16 342 #IP-Network-Block 129.128.000.000 - 129.128.255.255 343 #Org-Name University of Alberta 344 my $ualberta1 = new NetAddr::IP "129.128.5.19"; 345 next if $relayip->within($ualberta1); 205 my $relayip = new NetAddr::IP $untrusted[0]->{ip}; 206 207 foreach my $block (@dontlistme) { 208 next MSG if $relayip->within($block); 209 } 346 210 347 211 $iplist{$relayip->addr}++ if $relayip; 348 # print "$recv\n"; 349 # print "$relayip\n\n"; 350 # print $imap->get_header($msgs[$i], "From"); print "\n"; 351 352 353 # last if $i > 15; 212 213 # last if $i > 2; 354 214 sleep 1; 355 215 } # IMAP message iteration
Note:
See TracChangeset
for help on using the changeset viewer.