読者です 読者をやめる 読者になる 読者になる

labunix's blog

labunixのラボUnix

スパムメールテストのワンライナーを作成してみる。

■スパムメールテストのワンライナーを作成してみる。

 マカフィーのサイトに便利な例がある。
 そのうちの一つはSpamAssassinの公式ページにもある。

 スパムメール及びフィッシングメールのテストストリング
 http://www.mcafee.com/japan/pqa/aMcAfeeScm.asp?ancQno=SC06111301&

 The GTUBE
 http://spamassassin.apache.org/gtube/

■SpamAssasinでの検知例

$ (sleep 1;echo "ehlo localhost"; \
   sleep 1;echo "mail from:`whoami`@`cat /etc/mailname`"; \
   sleep 1;echo "rcpt to:`whoami`@`cat /etc/mailname`"; \
   sleep 1;echo "data"; \
   sleep 1;echo "Subject: Spam Test"; \
   sleep 1;echo 'XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X'; \
   sleep 1;echo "."; \
   sleep 1;echo "quit") | tee -a spam.log | telnet 172.31.31.254 25

$ sudo tail -1 | sed s/", "/",\n "/g
Mar  3 00:18:56 myhome amavis[15632]: (15632-01) Blocked SPAM {BouncedInternal,Quarantined},
 LOCAL [172.31.31.254]:44665 [172.31.31.254] <labunix@myhome.myhome.local> -> <labunix@myhome.myhome.local>,
 quarantine: Z/spam-ZJPFmfm304KE.gz,
 Queue-ID: 764FD27E001,
 Message-ID: <20150302151851.764FD27E001@myhome.myhome.local>,
 mail_id: ZJPFmfm304KE,
 Hits: 1003.824,
 size: 450,
 766 ms

■amavisがSpamAssassin経由でスパム検知して、ブロック。
 「Delivery of the email was stopped!」

$ grep mbox | grep "^Delivery\|^X-Spam\|^action\|UBE\|^Diag"
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
X-Spam-Level: 
X-Spam-Status: No, score=-0.2 required=5.0 tests=ALL_TRUSTED,
was considered unsolicited bulk e-mail (UBE).
Delivery of the email was stopped!
Action: failed
Diagnostic-Code: smtp; 554 5.7.0 Bounce, id=15632-01 - spam
Action: failed
Diagnostic-Code: smtp; 554 5.7.0 Bounce, id=15632-01 - spam

■Fortigate-80Cでの非検知例
 検査する特性が違うのか。

$ (sleep 1;echo "ehlo localhost"; \
   sleep 1;echo "mail from:`whoami`@`cat /etc/mailname`"; \
   sleep 1;echo "rcpt to:`whoami`@`cat /etc/mailname`"; \
   sleep 1;echo "data"; \
   sleep 1;echo "Subject: Spam Test"; \
   sleep 1;echo 'XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X'; \
   sleep 1;echo "."; \
   sleep 1;echo "quit") | tee -a spam.log | telnet 192.168.1.251 25

■syslogを確認。普通に通ってる。。。
 その後amavisで引っかかってSpamAssassinでブロック。。。

$ sudo tail -1 /var/log/Fortigate-80C.log | sed s/" [a-z0-9]*id=\|[a-z0-9]*ip="/"\n&"/g
Mar  3 00:25:20 172.31.31.251 date=2015-03-03 time=00:25:20 devname=FGT-UTM FGT80CXXXXXXXXXX
 logid=0000000013 type=traffic subtype=forward level=notice vd=root 
srcip=192.168.1.253 srcport=42396 srcintf="wan1" 
dstip=192.168.1.251 dstport=25 dstintf="internal"
 sessionid=565 status=close
 policyid=3 dstcountry="Reserved" srccountry="Reserved" trandisp=snat+dnat 
tranip=172.31.31.254 tranport=25 
transip=172.31.31.251 transport=42396 service=SMTP proto=6 duration=19 sentbyte=1118 rcvdbyte=1269 sentpkt=17 rcvdpkt=18

■spamテストとFhishingテストの送信用ワンライナー。
 方向転換。ワンライナーで遊ぶ。

$ for BODY in \
    "XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X" \
    "XJS*C4JDBQADN1.NSBN3*2IDNEN*GTPHISH-STANDARD-ANTI-PHISH-TEST-EMAIL*C.34X" \
  ;do \検(sleep 1;echo "ehlo localhost"; \
   sleep 1;echo "mail from:`whoami`@`cat /etc/mailname`"; \
   sleep 1;echo "rcpt to:`whoami`@`cat /etc/mailname`"; \
   sleep 1;echo "data"; \
   sleep 1;echo "Subject: Test "`echo "$BODY" | awk -F\- '{print $4}'`; \
   sleep 1;echo "$BODY"; \
   sleep 1;echo "."; \
   sleep 1;echo "quit") | telnet 192.168.1.251 25; \
  done

■スパムスコアの1から127のすべてをテストする一歩手前。
 考え方はFizzBuzzと一緒。

$ for n in "`seq 0x00 0x7f`" ;do \
    echo "ibase=10;obase=2;$n" | bc | \
    awk '{printf "%07d\n",$0}' | sed s/./" &"/g | \
    awk '($1>0){printf "SIXTY-FOUR,"}; \
         ($2>0){printf "THIRTY-TWO,"}; \
         ($3>0){printf "SIXTEEN,"}; \
         ($4>0){printf "EIGHT,"}; \
         ($5>0){printf "FOUR,"}; \
         ($6>0){printf "TWO,"}; \
         ($7>0){printf "ONE,"}; \
         {printf "\n"}';done | nl
       
     1	ONE,
     2	TWO,
     3	TWO,ONE,
     4	FOUR,
     5	FOUR,ONE,
     6	FOUR,TWO,
     7	FOUR,TWO,ONE,
     8	EIGHT,
     9	EIGHT,ONE,
    10	EIGHT,TWO,
    11	EIGHT,TWO,ONE,
    12	EIGHT,FOUR,
    13	EIGHT,FOUR,ONE,
    14	EIGHT,FOUR,TWO,
    15	EIGHT,FOUR,TWO,ONE,
    16	SIXTEEN,
    17	SIXTEEN,ONE,
    18	SIXTEEN,TWO,
    19	SIXTEEN,TWO,ONE,
    20	SIXTEEN,FOUR,
    21	SIXTEEN,FOUR,ONE,
    22	SIXTEEN,FOUR,TWO,
    23	SIXTEEN,FOUR,TWO,ONE,
    24	SIXTEEN,EIGHT,
    25	SIXTEEN,EIGHT,ONE,
    26	SIXTEEN,EIGHT,TWO,
    27	SIXTEEN,EIGHT,TWO,ONE,
    28	SIXTEEN,EIGHT,FOUR,
    29	SIXTEEN,EIGHT,FOUR,ONE,
    30	SIXTEEN,EIGHT,FOUR,TWO,
    31	SIXTEEN,EIGHT,FOUR,TWO,ONE,
    32	THIRTY-TWO,
    33	THIRTY-TWO,ONE,
    34	THIRTY-TWO,TWO,
    35	THIRTY-TWO,TWO,ONE,
    36	THIRTY-TWO,FOUR,
    37	THIRTY-TWO,FOUR,ONE,
    38	THIRTY-TWO,FOUR,TWO,
    39	THIRTY-TWO,FOUR,TWO,ONE,
    40	THIRTY-TWO,EIGHT,
    41	THIRTY-TWO,EIGHT,ONE,
    42	THIRTY-TWO,EIGHT,TWO,
    43	THIRTY-TWO,EIGHT,TWO,ONE,
    44	THIRTY-TWO,EIGHT,FOUR,
    45	THIRTY-TWO,EIGHT,FOUR,ONE,
    46	THIRTY-TWO,EIGHT,FOUR,TWO,
    47	THIRTY-TWO,EIGHT,FOUR,TWO,ONE,
    48	THIRTY-TWO,SIXTEEN,
    49	THIRTY-TWO,SIXTEEN,ONE,
    50	THIRTY-TWO,SIXTEEN,TWO,
    51	THIRTY-TWO,SIXTEEN,TWO,ONE,
    52	THIRTY-TWO,SIXTEEN,FOUR,
    53	THIRTY-TWO,SIXTEEN,FOUR,ONE,
    54	THIRTY-TWO,SIXTEEN,FOUR,TWO,
    55	THIRTY-TWO,SIXTEEN,FOUR,TWO,ONE,
    56	THIRTY-TWO,SIXTEEN,EIGHT,
    57	THIRTY-TWO,SIXTEEN,EIGHT,ONE,
    58	THIRTY-TWO,SIXTEEN,EIGHT,TWO,
    59	THIRTY-TWO,SIXTEEN,EIGHT,TWO,ONE,
    60	THIRTY-TWO,SIXTEEN,EIGHT,FOUR,
    61	THIRTY-TWO,SIXTEEN,EIGHT,FOUR,ONE,
    62	THIRTY-TWO,SIXTEEN,EIGHT,FOUR,TWO,
    63	THIRTY-TWO,SIXTEEN,EIGHT,FOUR,TWO,ONE,
    64	SIXTY-FOUR,
    65	SIXTY-FOUR,ONE,
    66	SIXTY-FOUR,TWO,
    67	SIXTY-FOUR,TWO,ONE,
    68	SIXTY-FOUR,FOUR,
    69	SIXTY-FOUR,FOUR,ONE,
    70	SIXTY-FOUR,FOUR,TWO,
    71	SIXTY-FOUR,FOUR,TWO,ONE,
    72	SIXTY-FOUR,EIGHT,
    73	SIXTY-FOUR,EIGHT,ONE,
    74	SIXTY-FOUR,EIGHT,TWO,
    75	SIXTY-FOUR,EIGHT,TWO,ONE,
    76	SIXTY-FOUR,EIGHT,FOUR,
    77	SIXTY-FOUR,EIGHT,FOUR,ONE,
    78	SIXTY-FOUR,EIGHT,FOUR,TWO,
    79	SIXTY-FOUR,EIGHT,FOUR,TWO,ONE,
    80	SIXTY-FOUR,SIXTEEN,
    81	SIXTY-FOUR,SIXTEEN,ONE,
    82	SIXTY-FOUR,SIXTEEN,TWO,
    83	SIXTY-FOUR,SIXTEEN,TWO,ONE,
    84	SIXTY-FOUR,SIXTEEN,FOUR,
    85	SIXTY-FOUR,SIXTEEN,FOUR,ONE,
    86	SIXTY-FOUR,SIXTEEN,FOUR,TWO,
    87	SIXTY-FOUR,SIXTEEN,FOUR,TWO,ONE,
    88	SIXTY-FOUR,SIXTEEN,EIGHT,
    89	SIXTY-FOUR,SIXTEEN,EIGHT,ONE,
    90	SIXTY-FOUR,SIXTEEN,EIGHT,TWO,
    91	SIXTY-FOUR,SIXTEEN,EIGHT,TWO,ONE,
    92	SIXTY-FOUR,SIXTEEN,EIGHT,FOUR,
    93	SIXTY-FOUR,SIXTEEN,EIGHT,FOUR,ONE,
    94	SIXTY-FOUR,SIXTEEN,EIGHT,FOUR,TWO,
    95	SIXTY-FOUR,SIXTEEN,EIGHT,FOUR,TWO,ONE,
    96	SIXTY-FOUR,THIRTY-TWO,
    97	SIXTY-FOUR,THIRTY-TWO,ONE,
    98	SIXTY-FOUR,THIRTY-TWO,TWO,
    99	SIXTY-FOUR,THIRTY-TWO,TWO,ONE,
   100	SIXTY-FOUR,THIRTY-TWO,FOUR,
   101	SIXTY-FOUR,THIRTY-TWO,FOUR,ONE,
   102	SIXTY-FOUR,THIRTY-TWO,FOUR,TWO,
   103	SIXTY-FOUR,THIRTY-TWO,FOUR,TWO,ONE,
   104	SIXTY-FOUR,THIRTY-TWO,EIGHT,
   105	SIXTY-FOUR,THIRTY-TWO,EIGHT,ONE,
   106	SIXTY-FOUR,THIRTY-TWO,EIGHT,TWO,
   107	SIXTY-FOUR,THIRTY-TWO,EIGHT,TWO,ONE,
   108	SIXTY-FOUR,THIRTY-TWO,EIGHT,FOUR,
   109	SIXTY-FOUR,THIRTY-TWO,EIGHT,FOUR,ONE,
   110	SIXTY-FOUR,THIRTY-TWO,EIGHT,FOUR,TWO,
   111	SIXTY-FOUR,THIRTY-TWO,EIGHT,FOUR,TWO,ONE,
   112	SIXTY-FOUR,THIRTY-TWO,SIXTEEN,
   113	SIXTY-FOUR,THIRTY-TWO,SIXTEEN,ONE,
   114	SIXTY-FOUR,THIRTY-TWO,SIXTEEN,TWO,
   115	SIXTY-FOUR,THIRTY-TWO,SIXTEEN,TWO,ONE,
   116	SIXTY-FOUR,THIRTY-TWO,SIXTEEN,FOUR,
   117	SIXTY-FOUR,THIRTY-TWO,SIXTEEN,FOUR,ONE,
   118	SIXTY-FOUR,THIRTY-TWO,SIXTEEN,FOUR,TWO,
   119	SIXTY-FOUR,THIRTY-TWO,SIXTEEN,FOUR,TWO,ONE,
   120	SIXTY-FOUR,THIRTY-TWO,SIXTEEN,EIGHT,
   121	SIXTY-FOUR,THIRTY-TWO,SIXTEEN,EIGHT,ONE,
   122	SIXTY-FOUR,THIRTY-TWO,SIXTEEN,EIGHT,TWO,
   123	SIXTY-FOUR,THIRTY-TWO,SIXTEEN,EIGHT,TWO,ONE,
   124	SIXTY-FOUR,THIRTY-TWO,SIXTEEN,EIGHT,FOUR,
   125	SIXTY-FOUR,THIRTY-TWO,SIXTEEN,EIGHT,FOUR,ONE,
   126	SIXTY-FOUR,THIRTY-TWO,SIXTEEN,EIGHT,FOUR,TWO,
   127	SIXTY-FOUR,THIRTY-TWO,SIXTEEN,EIGHT,FOUR,TWO,ONE,

■1から127までのすべてのスコアをテストするワンライナー。
 ちなみにSpamAssassinでも、すべて「X-Spam-Status: No, score=2.122」なので、
 あまりテストには使えない様子。

$ for n in "`seq 0x00 0x7f`" ;do \
    echo "ibase=10;obase=2;$n" | bc | \
    awk '{printf "%07d\n",$0}' | sed s/./" &"/g | \
    awk '($1>0){printf "SIXTY-FOUR,"}; \
         ($2>0){printf "THIRTY-TWO,"}; \
         ($3>0){printf "SIXTEEN,"}; \
         ($4>0){printf "EIGHT,"}; \
         ($5>0){printf "FOUR,"}; \
         ($6>0){printf "TWO,"}; \
         ($7>0){printf "ONE,"}; \
         {printf "\n"}';done | nl | \
    while read TEMP;do \
      SUBJECT=`echo "$TEMP" | awk '{print $1}'`; \
      BODY=`echo $TEMP | awk '{print $2}' | \
            sed s/","/'*\n'/g | grep -v "^\$" | sed s/"^"/"*NAITUBE*SCORE*"/g`; \
      (sleep 1;echo "ehlo localhost"; \
       sleep 1;echo "mail from:`whoami`@`cat /etc/mailname`"; \
       sleep 1;echo "rcpt to:`whoami`@`cat /etc/mailname`"; \
       sleep 1;echo "data"; \
       sleep 1;echo "Subject: Score is $SUBJECT"; \
       sleep 1;echo "$BODY"; \
       sleep 1;echo "."; \
       sleep 1;echo "quit") | telnet 192.168.1.251 25; \
    done