■スパムメールテストのワンライナーを作成してみる。
マカフィーのサイトに便利な例がある。
そのうちの一つはSpamAssassinの公式ページにもある。
スパムメール及びフィッシングメールのテストストリング
http://www.mcafee.com/japan/pqa/aMcAfeeScm.asp?ancQno=SC06111301&
The GTUBE
http://spamassassin.apache.org/gtube/
■SpamAssasinでの検知例
$ (sleep 1;echo "ehlo localhost"; \
sleep 1;echo "mail from:`whoami`@`cat /etc/mailname`"; \
sleep 1;echo "rcpt to:`whoami`@`cat /etc/mailname`"; \
sleep 1;echo "data"; \
sleep 1;echo "Subject: Spam Test"; \
sleep 1;echo 'XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X'; \
sleep 1;echo "."; \
sleep 1;echo "quit") | tee -a spam.log | telnet 172.31.31.254 25
$ sudo tail -1 | sed s/", "/",\n "/g
Mar 3 00:18:56 myhome amavis[15632]: (15632-01) Blocked SPAM {BouncedInternal,Quarantined},
LOCAL [172.31.31.254]:44665 [172.31.31.254] <labunix@myhome.myhome.local> -> <labunix@myhome.myhome.local>,
quarantine: Z/spam-ZJPFmfm304KE.gz,
Queue-ID: 764FD27E001,
Message-ID: <20150302151851.764FD27E001@myhome.myhome.local>,
mail_id: ZJPFmfm304KE,
Hits: 1003.824,
size: 450,
766 ms
■amavisがSpamAssassin経由でスパム検知して、ブロック。
「Delivery of the email was stopped!」
$ grep mbox | grep "^Delivery\|^X-Spam\|^action\|UBE\|^Diag"
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
X-Spam-Level:
X-Spam-Status: No, score=-0.2 required=5.0 tests=ALL_TRUSTED,
was considered unsolicited bulk e-mail (UBE).
Delivery of the email was stopped!
Action: failed
Diagnostic-Code: smtp; 554 5.7.0 Bounce, id=15632-01 - spam
Action: failed
Diagnostic-Code: smtp; 554 5.7.0 Bounce, id=15632-01 - spam
■Fortigate-80Cでの非検知例
検査する特性が違うのか。
$ (sleep 1;echo "ehlo localhost"; \
sleep 1;echo "mail from:`whoami`@`cat /etc/mailname`"; \
sleep 1;echo "rcpt to:`whoami`@`cat /etc/mailname`"; \
sleep 1;echo "data"; \
sleep 1;echo "Subject: Spam Test"; \
sleep 1;echo 'XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X'; \
sleep 1;echo "."; \
sleep 1;echo "quit") | tee -a spam.log | telnet 192.168.1.251 25
■syslogを確認。普通に通ってる。。。
その後amavisで引っかかってSpamAssassinでブロック。。。
$ sudo tail -1 /var/log/Fortigate-80C.log | sed s/" [a-z0-9]*id=\|[a-z0-9]*ip="/"\n&"/g
Mar 3 00:25:20 172.31.31.251 date=2015-03-03 time=00:25:20 devname=FGT-UTM FGT80CXXXXXXXXXX
logid=0000000013 type=traffic subtype=forward level=notice vd=root
srcip=192.168.1.253 srcport=42396 srcintf="wan1"
dstip=192.168.1.251 dstport=25 dstintf="internal"
sessionid=565 status=close
policyid=3 dstcountry="Reserved" srccountry="Reserved" trandisp=snat+dnat
tranip=172.31.31.254 tranport=25
transip=172.31.31.251 transport=42396 service=SMTP proto=6 duration=19 sentbyte=1118 rcvdbyte=1269 sentpkt=17 rcvdpkt=18
■spamテストとFhishingテストの送信用ワンライナー。
方向転換。ワンライナーで遊ぶ。
$ for BODY in \
"XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X" \
"XJS*C4JDBQADN1.NSBN3*2IDNEN*GTPHISH-STANDARD-ANTI-PHISH-TEST-EMAIL*C.34X" \
;do \検知
(sleep 1;echo "ehlo localhost"; \
sleep 1;echo "mail from:`whoami`@`cat /etc/mailname`"; \
sleep 1;echo "rcpt to:`whoami`@`cat /etc/mailname`"; \
sleep 1;echo "data"; \
sleep 1;echo "Subject: Test "`echo "$BODY" | awk -F\- '{print $4}'`; \
sleep 1;echo "$BODY"; \
sleep 1;echo "."; \
sleep 1;echo "quit") | telnet 192.168.1.251 25; \
done
■スパムスコアの1から127のすべてをテストする一歩手前。
考え方はFizzBuzzと一緒。
$ for n in "`seq 0x00 0x7f`" ;do \
echo "ibase=10;obase=2;$n" | bc | \
awk '{printf "%07d\n",$0}' | sed s/./" &"/g | \
awk '($1>0){printf "SIXTY-FOUR,"}; \
($2>0){printf "THIRTY-TWO,"}; \
($3>0){printf "SIXTEEN,"}; \
($4>0){printf "EIGHT,"}; \
($5>0){printf "FOUR,"}; \
($6>0){printf "TWO,"}; \
($7>0){printf "ONE,"}; \
{printf "\n"}';done | nl
1 ONE,
2 TWO,
3 TWO,ONE,
4 FOUR,
5 FOUR,ONE,
6 FOUR,TWO,
7 FOUR,TWO,ONE,
8 EIGHT,
9 EIGHT,ONE,
10 EIGHT,TWO,
11 EIGHT,TWO,ONE,
12 EIGHT,FOUR,
13 EIGHT,FOUR,ONE,
14 EIGHT,FOUR,TWO,
15 EIGHT,FOUR,TWO,ONE,
16 SIXTEEN,
17 SIXTEEN,ONE,
18 SIXTEEN,TWO,
19 SIXTEEN,TWO,ONE,
20 SIXTEEN,FOUR,
21 SIXTEEN,FOUR,ONE,
22 SIXTEEN,FOUR,TWO,
23 SIXTEEN,FOUR,TWO,ONE,
24 SIXTEEN,EIGHT,
25 SIXTEEN,EIGHT,ONE,
26 SIXTEEN,EIGHT,TWO,
27 SIXTEEN,EIGHT,TWO,ONE,
28 SIXTEEN,EIGHT,FOUR,
29 SIXTEEN,EIGHT,FOUR,ONE,
30 SIXTEEN,EIGHT,FOUR,TWO,
31 SIXTEEN,EIGHT,FOUR,TWO,ONE,
32 THIRTY-TWO,
33 THIRTY-TWO,ONE,
34 THIRTY-TWO,TWO,
35 THIRTY-TWO,TWO,ONE,
36 THIRTY-TWO,FOUR,
37 THIRTY-TWO,FOUR,ONE,
38 THIRTY-TWO,FOUR,TWO,
39 THIRTY-TWO,FOUR,TWO,ONE,
40 THIRTY-TWO,EIGHT,
41 THIRTY-TWO,EIGHT,ONE,
42 THIRTY-TWO,EIGHT,TWO,
43 THIRTY-TWO,EIGHT,TWO,ONE,
44 THIRTY-TWO,EIGHT,FOUR,
45 THIRTY-TWO,EIGHT,FOUR,ONE,
46 THIRTY-TWO,EIGHT,FOUR,TWO,
47 THIRTY-TWO,EIGHT,FOUR,TWO,ONE,
48 THIRTY-TWO,SIXTEEN,
49 THIRTY-TWO,SIXTEEN,ONE,
50 THIRTY-TWO,SIXTEEN,TWO,
51 THIRTY-TWO,SIXTEEN,TWO,ONE,
52 THIRTY-TWO,SIXTEEN,FOUR,
53 THIRTY-TWO,SIXTEEN,FOUR,ONE,
54 THIRTY-TWO,SIXTEEN,FOUR,TWO,
55 THIRTY-TWO,SIXTEEN,FOUR,TWO,ONE,
56 THIRTY-TWO,SIXTEEN,EIGHT,
57 THIRTY-TWO,SIXTEEN,EIGHT,ONE,
58 THIRTY-TWO,SIXTEEN,EIGHT,TWO,
59 THIRTY-TWO,SIXTEEN,EIGHT,TWO,ONE,
60 THIRTY-TWO,SIXTEEN,EIGHT,FOUR,
61 THIRTY-TWO,SIXTEEN,EIGHT,FOUR,ONE,
62 THIRTY-TWO,SIXTEEN,EIGHT,FOUR,TWO,
63 THIRTY-TWO,SIXTEEN,EIGHT,FOUR,TWO,ONE,
64 SIXTY-FOUR,
65 SIXTY-FOUR,ONE,
66 SIXTY-FOUR,TWO,
67 SIXTY-FOUR,TWO,ONE,
68 SIXTY-FOUR,FOUR,
69 SIXTY-FOUR,FOUR,ONE,
70 SIXTY-FOUR,FOUR,TWO,
71 SIXTY-FOUR,FOUR,TWO,ONE,
72 SIXTY-FOUR,EIGHT,
73 SIXTY-FOUR,EIGHT,ONE,
74 SIXTY-FOUR,EIGHT,TWO,
75 SIXTY-FOUR,EIGHT,TWO,ONE,
76 SIXTY-FOUR,EIGHT,FOUR,
77 SIXTY-FOUR,EIGHT,FOUR,ONE,
78 SIXTY-FOUR,EIGHT,FOUR,TWO,
79 SIXTY-FOUR,EIGHT,FOUR,TWO,ONE,
80 SIXTY-FOUR,SIXTEEN,
81 SIXTY-FOUR,SIXTEEN,ONE,
82 SIXTY-FOUR,SIXTEEN,TWO,
83 SIXTY-FOUR,SIXTEEN,TWO,ONE,
84 SIXTY-FOUR,SIXTEEN,FOUR,
85 SIXTY-FOUR,SIXTEEN,FOUR,ONE,
86 SIXTY-FOUR,SIXTEEN,FOUR,TWO,
87 SIXTY-FOUR,SIXTEEN,FOUR,TWO,ONE,
88 SIXTY-FOUR,SIXTEEN,EIGHT,
89 SIXTY-FOUR,SIXTEEN,EIGHT,ONE,
90 SIXTY-FOUR,SIXTEEN,EIGHT,TWO,
91 SIXTY-FOUR,SIXTEEN,EIGHT,TWO,ONE,
92 SIXTY-FOUR,SIXTEEN,EIGHT,FOUR,
93 SIXTY-FOUR,SIXTEEN,EIGHT,FOUR,ONE,
94 SIXTY-FOUR,SIXTEEN,EIGHT,FOUR,TWO,
95 SIXTY-FOUR,SIXTEEN,EIGHT,FOUR,TWO,ONE,
96 SIXTY-FOUR,THIRTY-TWO,
97 SIXTY-FOUR,THIRTY-TWO,ONE,
98 SIXTY-FOUR,THIRTY-TWO,TWO,
99 SIXTY-FOUR,THIRTY-TWO,TWO,ONE,
100 SIXTY-FOUR,THIRTY-TWO,FOUR,
101 SIXTY-FOUR,THIRTY-TWO,FOUR,ONE,
102 SIXTY-FOUR,THIRTY-TWO,FOUR,TWO,
103 SIXTY-FOUR,THIRTY-TWO,FOUR,TWO,ONE,
104 SIXTY-FOUR,THIRTY-TWO,EIGHT,
105 SIXTY-FOUR,THIRTY-TWO,EIGHT,ONE,
106 SIXTY-FOUR,THIRTY-TWO,EIGHT,TWO,
107 SIXTY-FOUR,THIRTY-TWO,EIGHT,TWO,ONE,
108 SIXTY-FOUR,THIRTY-TWO,EIGHT,FOUR,
109 SIXTY-FOUR,THIRTY-TWO,EIGHT,FOUR,ONE,
110 SIXTY-FOUR,THIRTY-TWO,EIGHT,FOUR,TWO,
111 SIXTY-FOUR,THIRTY-TWO,EIGHT,FOUR,TWO,ONE,
112 SIXTY-FOUR,THIRTY-TWO,SIXTEEN,
113 SIXTY-FOUR,THIRTY-TWO,SIXTEEN,ONE,
114 SIXTY-FOUR,THIRTY-TWO,SIXTEEN,TWO,
115 SIXTY-FOUR,THIRTY-TWO,SIXTEEN,TWO,ONE,
116 SIXTY-FOUR,THIRTY-TWO,SIXTEEN,FOUR,
117 SIXTY-FOUR,THIRTY-TWO,SIXTEEN,FOUR,ONE,
118 SIXTY-FOUR,THIRTY-TWO,SIXTEEN,FOUR,TWO,
119 SIXTY-FOUR,THIRTY-TWO,SIXTEEN,FOUR,TWO,ONE,
120 SIXTY-FOUR,THIRTY-TWO,SIXTEEN,EIGHT,
121 SIXTY-FOUR,THIRTY-TWO,SIXTEEN,EIGHT,ONE,
122 SIXTY-FOUR,THIRTY-TWO,SIXTEEN,EIGHT,TWO,
123 SIXTY-FOUR,THIRTY-TWO,SIXTEEN,EIGHT,TWO,ONE,
124 SIXTY-FOUR,THIRTY-TWO,SIXTEEN,EIGHT,FOUR,
125 SIXTY-FOUR,THIRTY-TWO,SIXTEEN,EIGHT,FOUR,ONE,
126 SIXTY-FOUR,THIRTY-TWO,SIXTEEN,EIGHT,FOUR,TWO,
127 SIXTY-FOUR,THIRTY-TWO,SIXTEEN,EIGHT,FOUR,TWO,ONE,
■1から127までのすべてのスコアをテストするワンライナー。
ちなみにSpamAssassinでも、すべて「X-Spam-Status: No, score=2.122」なので、
あまりテストには使えない様子。
$ for n in "`seq 0x00 0x7f`" ;do \
echo "ibase=10;obase=2;$n" | bc | \
awk '{printf "%07d\n",$0}' | sed s/./" &"/g | \
awk '($1>0){printf "SIXTY-FOUR,"}; \
($2>0){printf "THIRTY-TWO,"}; \
($3>0){printf "SIXTEEN,"}; \
($4>0){printf "EIGHT,"}; \
($5>0){printf "FOUR,"}; \
($6>0){printf "TWO,"}; \
($7>0){printf "ONE,"}; \
{printf "\n"}';done | nl | \
while read TEMP;do \
SUBJECT=`echo "$TEMP" | awk '{print $1}'`; \
BODY=`echo $TEMP | awk '{print $2}' | \
sed s/","/'*\n'/g | grep -v "^\$" | sed s/"^"/"*NAITUBE*SCORE*"/g`; \
(sleep 1;echo "ehlo localhost"; \
sleep 1;echo "mail from:`whoami`@`cat /etc/mailname`"; \
sleep 1;echo "rcpt to:`whoami`@`cat /etc/mailname`"; \
sleep 1;echo "data"; \
sleep 1;echo "Subject: Score is $SUBJECT"; \
sleep 1;echo "$BODY"; \
sleep 1;echo "."; \
sleep 1;echo "quit") | telnet 192.168.1.251 25; \
done
