■スパムメールテストのワンライナーを作成してみる。 マカフィーのサイトに便利な例がある。 そのうちの一つはSpamAssassinの公式ページにもある。 スパムメール及びフィッシングメールのテストストリング http://www.mcafee.com/japan/pqa/aMcAfeeScm.asp?ancQno=SC06111301& The GTUBE http://spamassassin.apache.org/gtube/ ■SpamAssasinでの検知例 $ (sleep 1;echo "ehlo localhost"; \ sleep 1;echo "mail from:`whoami`@`cat /etc/mailname`"; \ sleep 1;echo "rcpt to:`whoami`@`cat /etc/mailname`"; \ sleep 1;echo "data"; \ sleep 1;echo "Subject: Spam Test"; \ sleep 1;echo 'XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X'; \ sleep 1;echo "."; \ sleep 1;echo "quit") | tee -a spam.log | telnet 172.31.31.254 25 $ sudo tail -1 | sed s/", "/",\n "/g Mar 3 00:18:56 myhome amavis[15632]: (15632-01) Blocked SPAM {BouncedInternal,Quarantined}, LOCAL [172.31.31.254]:44665 [172.31.31.254] <labunix@myhome.myhome.local> -> <labunix@myhome.myhome.local>, quarantine: Z/spam-ZJPFmfm304KE.gz, Queue-ID: 764FD27E001, Message-ID: <20150302151851.764FD27E001@myhome.myhome.local>, mail_id: ZJPFmfm304KE, Hits: 1003.824, size: 450, 766 ms ■amavisがSpamAssassin経由でスパム検知して、ブロック。 「Delivery of the email was stopped!」 $ grep mbox | grep "^Delivery\|^X-Spam\|^action\|UBE\|^Diag" X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on X-Spam-Level: X-Spam-Status: No, score=-0.2 required=5.0 tests=ALL_TRUSTED, was considered unsolicited bulk e-mail (UBE). Delivery of the email was stopped! Action: failed Diagnostic-Code: smtp; 554 5.7.0 Bounce, id=15632-01 - spam Action: failed Diagnostic-Code: smtp; 554 5.7.0 Bounce, id=15632-01 - spam ■Fortigate-80Cでの非検知例 検査する特性が違うのか。 $ (sleep 1;echo "ehlo localhost"; \ sleep 1;echo "mail from:`whoami`@`cat /etc/mailname`"; \ sleep 1;echo "rcpt to:`whoami`@`cat /etc/mailname`"; \ sleep 1;echo "data"; \ sleep 1;echo "Subject: Spam Test"; \ sleep 1;echo 'XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X'; \ sleep 1;echo "."; \ sleep 1;echo "quit") | tee -a spam.log | telnet 192.168.1.251 25 ■syslogを確認。普通に通ってる。。。 その後amavisで引っかかってSpamAssassinでブロック。。。 $ sudo tail -1 /var/log/Fortigate-80C.log | sed s/" [a-z0-9]*id=\|[a-z0-9]*ip="/"\n&"/g Mar 3 00:25:20 172.31.31.251 date=2015-03-03 time=00:25:20 devname=FGT-UTM FGT80CXXXXXXXXXX logid=0000000013 type=traffic subtype=forward level=notice vd=root srcip=192.168.1.253 srcport=42396 srcintf="wan1" dstip=192.168.1.251 dstport=25 dstintf="internal" sessionid=565 status=close policyid=3 dstcountry="Reserved" srccountry="Reserved" trandisp=snat+dnat tranip=172.31.31.254 tranport=25 transip=172.31.31.251 transport=42396 service=SMTP proto=6 duration=19 sentbyte=1118 rcvdbyte=1269 sentpkt=17 rcvdpkt=18 ■spamテストとFhishingテストの送信用ワンライナー。 方向転換。ワンライナーで遊ぶ。 $ for BODY in \ "XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X" \ "XJS*C4JDBQADN1.NSBN3*2IDNEN*GTPHISH-STANDARD-ANTI-PHISH-TEST-EMAIL*C.34X" \ ;do \検知 (sleep 1;echo "ehlo localhost"; \ sleep 1;echo "mail from:`whoami`@`cat /etc/mailname`"; \ sleep 1;echo "rcpt to:`whoami`@`cat /etc/mailname`"; \ sleep 1;echo "data"; \ sleep 1;echo "Subject: Test "`echo "$BODY" | awk -F\- '{print $4}'`; \ sleep 1;echo "$BODY"; \ sleep 1;echo "."; \ sleep 1;echo "quit") | telnet 192.168.1.251 25; \ done ■スパムスコアの1から127のすべてをテストする一歩手前。 考え方はFizzBuzzと一緒。 $ for n in "`seq 0x00 0x7f`" ;do \ echo "ibase=10;obase=2;$n" | bc | \ awk '{printf "%07d\n",$0}' | sed s/./" &"/g | \ awk '($1>0){printf "SIXTY-FOUR,"}; \ ($2>0){printf "THIRTY-TWO,"}; \ ($3>0){printf "SIXTEEN,"}; \ ($4>0){printf "EIGHT,"}; \ ($5>0){printf "FOUR,"}; \ ($6>0){printf "TWO,"}; \ ($7>0){printf "ONE,"}; \ {printf "\n"}';done | nl 1 ONE, 2 TWO, 3 TWO,ONE, 4 FOUR, 5 FOUR,ONE, 6 FOUR,TWO, 7 FOUR,TWO,ONE, 8 EIGHT, 9 EIGHT,ONE, 10 EIGHT,TWO, 11 EIGHT,TWO,ONE, 12 EIGHT,FOUR, 13 EIGHT,FOUR,ONE, 14 EIGHT,FOUR,TWO, 15 EIGHT,FOUR,TWO,ONE, 16 SIXTEEN, 17 SIXTEEN,ONE, 18 SIXTEEN,TWO, 19 SIXTEEN,TWO,ONE, 20 SIXTEEN,FOUR, 21 SIXTEEN,FOUR,ONE, 22 SIXTEEN,FOUR,TWO, 23 SIXTEEN,FOUR,TWO,ONE, 24 SIXTEEN,EIGHT, 25 SIXTEEN,EIGHT,ONE, 26 SIXTEEN,EIGHT,TWO, 27 SIXTEEN,EIGHT,TWO,ONE, 28 SIXTEEN,EIGHT,FOUR, 29 SIXTEEN,EIGHT,FOUR,ONE, 30 SIXTEEN,EIGHT,FOUR,TWO, 31 SIXTEEN,EIGHT,FOUR,TWO,ONE, 32 THIRTY-TWO, 33 THIRTY-TWO,ONE, 34 THIRTY-TWO,TWO, 35 THIRTY-TWO,TWO,ONE, 36 THIRTY-TWO,FOUR, 37 THIRTY-TWO,FOUR,ONE, 38 THIRTY-TWO,FOUR,TWO, 39 THIRTY-TWO,FOUR,TWO,ONE, 40 THIRTY-TWO,EIGHT, 41 THIRTY-TWO,EIGHT,ONE, 42 THIRTY-TWO,EIGHT,TWO, 43 THIRTY-TWO,EIGHT,TWO,ONE, 44 THIRTY-TWO,EIGHT,FOUR, 45 THIRTY-TWO,EIGHT,FOUR,ONE, 46 THIRTY-TWO,EIGHT,FOUR,TWO, 47 THIRTY-TWO,EIGHT,FOUR,TWO,ONE, 48 THIRTY-TWO,SIXTEEN, 49 THIRTY-TWO,SIXTEEN,ONE, 50 THIRTY-TWO,SIXTEEN,TWO, 51 THIRTY-TWO,SIXTEEN,TWO,ONE, 52 THIRTY-TWO,SIXTEEN,FOUR, 53 THIRTY-TWO,SIXTEEN,FOUR,ONE, 54 THIRTY-TWO,SIXTEEN,FOUR,TWO, 55 THIRTY-TWO,SIXTEEN,FOUR,TWO,ONE, 56 THIRTY-TWO,SIXTEEN,EIGHT, 57 THIRTY-TWO,SIXTEEN,EIGHT,ONE, 58 THIRTY-TWO,SIXTEEN,EIGHT,TWO, 59 THIRTY-TWO,SIXTEEN,EIGHT,TWO,ONE, 60 THIRTY-TWO,SIXTEEN,EIGHT,FOUR, 61 THIRTY-TWO,SIXTEEN,EIGHT,FOUR,ONE, 62 THIRTY-TWO,SIXTEEN,EIGHT,FOUR,TWO, 63 THIRTY-TWO,SIXTEEN,EIGHT,FOUR,TWO,ONE, 64 SIXTY-FOUR, 65 SIXTY-FOUR,ONE, 66 SIXTY-FOUR,TWO, 67 SIXTY-FOUR,TWO,ONE, 68 SIXTY-FOUR,FOUR, 69 SIXTY-FOUR,FOUR,ONE, 70 SIXTY-FOUR,FOUR,TWO, 71 SIXTY-FOUR,FOUR,TWO,ONE, 72 SIXTY-FOUR,EIGHT, 73 SIXTY-FOUR,EIGHT,ONE, 74 SIXTY-FOUR,EIGHT,TWO, 75 SIXTY-FOUR,EIGHT,TWO,ONE, 76 SIXTY-FOUR,EIGHT,FOUR, 77 SIXTY-FOUR,EIGHT,FOUR,ONE, 78 SIXTY-FOUR,EIGHT,FOUR,TWO, 79 SIXTY-FOUR,EIGHT,FOUR,TWO,ONE, 80 SIXTY-FOUR,SIXTEEN, 81 SIXTY-FOUR,SIXTEEN,ONE, 82 SIXTY-FOUR,SIXTEEN,TWO, 83 SIXTY-FOUR,SIXTEEN,TWO,ONE, 84 SIXTY-FOUR,SIXTEEN,FOUR, 85 SIXTY-FOUR,SIXTEEN,FOUR,ONE, 86 SIXTY-FOUR,SIXTEEN,FOUR,TWO, 87 SIXTY-FOUR,SIXTEEN,FOUR,TWO,ONE, 88 SIXTY-FOUR,SIXTEEN,EIGHT, 89 SIXTY-FOUR,SIXTEEN,EIGHT,ONE, 90 SIXTY-FOUR,SIXTEEN,EIGHT,TWO, 91 SIXTY-FOUR,SIXTEEN,EIGHT,TWO,ONE, 92 SIXTY-FOUR,SIXTEEN,EIGHT,FOUR, 93 SIXTY-FOUR,SIXTEEN,EIGHT,FOUR,ONE, 94 SIXTY-FOUR,SIXTEEN,EIGHT,FOUR,TWO, 95 SIXTY-FOUR,SIXTEEN,EIGHT,FOUR,TWO,ONE, 96 SIXTY-FOUR,THIRTY-TWO, 97 SIXTY-FOUR,THIRTY-TWO,ONE, 98 SIXTY-FOUR,THIRTY-TWO,TWO, 99 SIXTY-FOUR,THIRTY-TWO,TWO,ONE, 100 SIXTY-FOUR,THIRTY-TWO,FOUR, 101 SIXTY-FOUR,THIRTY-TWO,FOUR,ONE, 102 SIXTY-FOUR,THIRTY-TWO,FOUR,TWO, 103 SIXTY-FOUR,THIRTY-TWO,FOUR,TWO,ONE, 104 SIXTY-FOUR,THIRTY-TWO,EIGHT, 105 SIXTY-FOUR,THIRTY-TWO,EIGHT,ONE, 106 SIXTY-FOUR,THIRTY-TWO,EIGHT,TWO, 107 SIXTY-FOUR,THIRTY-TWO,EIGHT,TWO,ONE, 108 SIXTY-FOUR,THIRTY-TWO,EIGHT,FOUR, 109 SIXTY-FOUR,THIRTY-TWO,EIGHT,FOUR,ONE, 110 SIXTY-FOUR,THIRTY-TWO,EIGHT,FOUR,TWO, 111 SIXTY-FOUR,THIRTY-TWO,EIGHT,FOUR,TWO,ONE, 112 SIXTY-FOUR,THIRTY-TWO,SIXTEEN, 113 SIXTY-FOUR,THIRTY-TWO,SIXTEEN,ONE, 114 SIXTY-FOUR,THIRTY-TWO,SIXTEEN,TWO, 115 SIXTY-FOUR,THIRTY-TWO,SIXTEEN,TWO,ONE, 116 SIXTY-FOUR,THIRTY-TWO,SIXTEEN,FOUR, 117 SIXTY-FOUR,THIRTY-TWO,SIXTEEN,FOUR,ONE, 118 SIXTY-FOUR,THIRTY-TWO,SIXTEEN,FOUR,TWO, 119 SIXTY-FOUR,THIRTY-TWO,SIXTEEN,FOUR,TWO,ONE, 120 SIXTY-FOUR,THIRTY-TWO,SIXTEEN,EIGHT, 121 SIXTY-FOUR,THIRTY-TWO,SIXTEEN,EIGHT,ONE, 122 SIXTY-FOUR,THIRTY-TWO,SIXTEEN,EIGHT,TWO, 123 SIXTY-FOUR,THIRTY-TWO,SIXTEEN,EIGHT,TWO,ONE, 124 SIXTY-FOUR,THIRTY-TWO,SIXTEEN,EIGHT,FOUR, 125 SIXTY-FOUR,THIRTY-TWO,SIXTEEN,EIGHT,FOUR,ONE, 126 SIXTY-FOUR,THIRTY-TWO,SIXTEEN,EIGHT,FOUR,TWO, 127 SIXTY-FOUR,THIRTY-TWO,SIXTEEN,EIGHT,FOUR,TWO,ONE, ■1から127までのすべてのスコアをテストするワンライナー。 ちなみにSpamAssassinでも、すべて「X-Spam-Status: No, score=2.122」なので、 あまりテストには使えない様子。 $ for n in "`seq 0x00 0x7f`" ;do \ echo "ibase=10;obase=2;$n" | bc | \ awk '{printf "%07d\n",$0}' | sed s/./" &"/g | \ awk '($1>0){printf "SIXTY-FOUR,"}; \ ($2>0){printf "THIRTY-TWO,"}; \ ($3>0){printf "SIXTEEN,"}; \ ($4>0){printf "EIGHT,"}; \ ($5>0){printf "FOUR,"}; \ ($6>0){printf "TWO,"}; \ ($7>0){printf "ONE,"}; \ {printf "\n"}';done | nl | \ while read TEMP;do \ SUBJECT=`echo "$TEMP" | awk '{print $1}'`; \ BODY=`echo $TEMP | awk '{print $2}' | \ sed s/","/'*\n'/g | grep -v "^\$" | sed s/"^"/"*NAITUBE*SCORE*"/g`; \ (sleep 1;echo "ehlo localhost"; \ sleep 1;echo "mail from:`whoami`@`cat /etc/mailname`"; \ sleep 1;echo "rcpt to:`whoami`@`cat /etc/mailname`"; \ sleep 1;echo "data"; \ sleep 1;echo "Subject: Score is $SUBJECT"; \ sleep 1;echo "$BODY"; \ sleep 1;echo "."; \ sleep 1;echo "quit") | telnet 192.168.1.251 25; \ done