RBLCLient-0.5/0040700000076500007650000000000010047031420012055 5ustar asherasherRBLCLient-0.5/RBLClient.pm0100600000076500007650000002636410047013524014210 0ustar asherasherpackage Net::RBLClient; use strict; use IO::Socket; use Time::HiRes qw( time ); use Net::DNS::Packet; use vars qw( $VERSION $ip_pat ); $ip_pat = qr(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}); $VERSION = '0.4'; sub new { my($class, %args) = @_; my $self = { lists => [ lists() ], query_txt => 0, max_time => 8, timeout => 1, max_hits => 1000, max_replies => 1000, udp_maxlen => 4000, server => 'resolv.conf', }; bless $self, $class; foreach my $key(keys %args) { defined($self->{ $key }) or die "Invalid key: $key"; $self->{ $key } = $args{ $key }; } if($self->{ server } eq 'resolv.conf') { local *F; open F, '/etc/resolv.conf' or die "Can't open resolv.conf: $!"; local $/; my $resolv = ; if($resolv =~ /^nameserver\s+($ip_pat)/m) { $self->{ server } = $1; } else { die "No nameserver found in resolv.conf; specify one in constructor"; } } $self; } sub lookup { my($self, $target_ip) = @_; $target_ip =~ /^$ip_pat$/ or die "Invalid ip: '$target_ip' - must be dotted quad"; my $start_time = time; my $qip = join '.', reverse(split /\./, $target_ip); my $deadline = time + $self->{ max_time }; my $sock = IO::Socket::INET->new( Proto => 'udp', PeerPort => 53, PeerAddr => $self->{ server }, ) or die "Failed to create UDP client"; if ( $self->{ query_txt } ) { foreach my $list(@{ $self->{ lists } }) { my($msg_a, $msg_t) = mk_packet($qip, $list); foreach ($msg_a, $msg_t) { $sock->send($_) or die "send: $!" } } } else { foreach my $list(@{ $self->{ lists } }) { my $msg = mk_packet($qip, $list); $sock->send($msg) || die "send: $!"; } } my $dur = time - $start_time; $self->{ results } = {}; $self->{ txt } = {}; # Keep recv'ing packets until one of the exit conditions is met: my $needed = @{ $self->{ lists } }; # how many packets needed back $needed <<= 1 if $self->{ query_txt }; my $hits = my $replies = 0; while($needed && time < $deadline) { my $msg = ''; eval { local $SIG{ ALRM } = sub { die "alarm time out" }; alarm $self->{ timeout }; $sock->recv($msg, $self->{ udp_maxlen }) || die "recv: $!"; alarm 0; 1; # eval was OK }; if($msg) { my ($domain, $res, $type) = decode_packet($msg); if ( defined $type && $type eq 'TXT' ) { $self->{ txt }{ $domain } = $res } elsif ($res) { $replies ++; $hits ++ if $res; $self->{ results }{ $domain } = $res; return 1 if $hits >= $self->{ max_hits } || $replies >= $self->{ max_replies }; } $needed --; } } 1; } sub listed_by { my $self = shift; sort keys %{ $self->{ results } }; } sub listed_hash { my $self = shift; %{ $self->{ results } }; } sub txt_hash { my $self = shift; warn <<_ unless $self->{ query_txt }; Without query_txt turned on, you won't get any results from ->txt_hash(). _ if (wantarray) { %{ $self->{ txt } } } else { $self->{ txt } } } # End methods - begin internal functions sub mk_packet { # pass me a REVERSED dotted quad ip (qip) and a blocklist domain my($qip, $list) = @_; my($packet, $error) = new Net::DNS::Packet my $fqdn = "$qip.$list", 'A'; die "Cannot build DNS query for $fqdn, type A: $error" unless $packet; return $packet->data unless wantarray; (my $txt_packet, $error) = new Net::DNS::Packet $fqdn, 'TXT', 'IN'; die "Cannot build DNS query for $fqdn, type TXT: $error" unless $txt_packet; $packet->data, $txt_packet->data; } sub decode_packet { # takes a raw DNS response packet # returns domain, response my $data = shift; my $packet = Net::DNS::Packet->new(\$data); my @answer = $packet->answer; { my($res, $domain, $type); foreach my $answer (@answer) { { # removed $answer->answerfrom because it caused an error # with some types of answers my $name = lc $answer->name; warn "Packet contained answers to different domains ($domain != $name)" if defined $domain && $name ne $domain; $domain = $name; } $domain =~ s/^\d+\.\d+\.\d+\.\d+\.//; $type = $answer->type; $res = $type eq 'A' ? inet_ntoa($answer->rdata) : $type eq 'CNAME' ? cleanup($answer->rdata) : $type eq 'TXT' ? (defined $res && "$res; ") . $answer->txtdata : '?'; last unless $type eq 'TXT'; } return $domain, $res, $type if defined $res; } # OK, there were no answers - # need to determine which domain # sent the packet. my @question = $packet->question; foreach my $question(@question) { my $domain = $question->qname; $domain =~ s/^\d+\.\d+\.\d+\.\d+\.//; return($domain, undef); } } sub cleanup { # remove control chars and stuff $_[ 0 ] =~ tr/a-zA-Z0-9./ /cs;; $_[ 0 ]; } # lists removed due to osirusoft outage: # spews.relays.osirusoft.com # spamsites.relays.osirusoft.com # spamhaus.relays.osirusoft.com # socks.relays.osirusoft.com # relays.osirusoft.com # proxy.relays.osirusoft.com # inputs.relays.osirusoft.com # dialups.relays.osirusoft.com # blocktest.relays.osirusoft.com sub lists { qw( badconf.rhsbl.sorbs.net bl.reynolds.net.au bl.spamcop.net blackhole.compu.net blackholes.brainerd.net blackholes.five-ten-sg.com blackholes.intersil.net blackholes.wirehub.net block.blars.org block.dnsbl.sorbs.net dev.null.dk dnsbl.njabl.org dul.dnsbl.sorbs.net dynablock.wirehub.net flowgoaway.com formmail.relays.monkeys.com http.dnsbl.sorbs.net http.opm.blitzed.org korea.services.net list.dsbl.org misc.dnsbl.sorbs.net multihop.dsbl.org no-more-funn.moensted.dk nomail.rhsbl.sorbs.net opm.blitzed.org orbs.dorkslayers.com pm0-no-more.compu.net proxies.monkeys.com proxies.relays.monkeys.com psbl.surriel.com relays.dorkslayers.com relays.ordb.org relays.visi.com smtp.dnsbl.sorbs.net socks.dnsbl.sorbs.net socks.opm.blitzed.org spam.dnsbl.sorbs.net spamguard.leadmon.net spammers.v6net.org spamsources.fabel.dk spews.bl.reynolds.net.au unconfirmed.dsbl.org web.dnsbl.sorbs.net work.drbl.croco.net zombie.dnsbl.sorbs.net ztl.dorkslayers.com ); } 1; __END__ =head1 NAME Net::RBLClient - Queries multiple Realtime Blackhole Lists in parallel =head1 SYNOPSIS use Net::RBLClient; my $rbl = Net::RBLClient->new; $rbl->lookup('211.101.236.160'); my @listed_by = $rbl->listed_by; =head1 DESCRIPTION This module is used to discover what RBL's are listing a particular IP address. It parallelizes requests for fast response. An RBL, or Realtime Blackhole List, is a list of IP addresses meeting some criteria such as involvement in Unsolicited Bulk Email. Each RBL has its own criteria for addition and removal of addresses. If you want to block email or other traffic to/from your network based on one or more RBL's, you should carefully study the behavior of those RBL's before and during such blocking. =head1 CONSTRUCTOR =over 4 =item new( [ARGS] ) Takes an optional hash of arguments: =over 4 =item lists An arraref of (sub)domains representing RBLs. In other words, each element in the array is a string similar to 'relays.somerbl.org'. Use this if you want to query a specific list of RBL's - if this argument is omitted, a large list of RBL's is queried. =item query_txt Set this to true if you want Net::RBLClient to also query for TXT records, in which many RBL's store additional information about the reason for including an IP address or links to pages that contain such information. You can then retrieve these information using the L method. =item max_time The maximum time in seconds that the lookup function should take. In fact, the function can take up to C seconds. Max_time need not be integer. Of course, if the lookup returns due to max_time, some DNS replies will be missed. Default: 8 seconds. =item timeout The maximum time in seconds spent awaiting each DNS reply packet. The only reason to change this is if C is decreased to a small value. Default: 1 second. =item max_hits A hit is an affirmative response, stating that the IP address is on a certain list. If C hits are received, C returns immediately. This lets the calling program save time. Default: 1000 (effectively out of the picture). =item max_replies A reply from an RBL could be affirmative or negative. Either way, it counts towards C. C returns when C replies have been received. =item udp_maxlen The maximum number of bytes read from a DNS reply packet. There's probably no reason to change this. Default: 4000 =item server The local nameserver to use for all queries. Should be either a resolvable hostname or a dotted quad IP address. By default, the first nameserver in /etc/resolv.conf will be used. =back =head1 METHODS =item lookup( IPADDR ) Lookup one IP address on all RBL's previously defined. The IP address must be expressed in dotted quad notation, like '1.2.3.4'. C returns 1. =item listed_by() Return an array of RBL's which block the specified IP. The RBL's are indicated via the (sub)domain used for DNS query. The calling program must first call C. =item listed_hash() Return a hash whose keys are the RBL's which block the specified IP, represented as in C. If the RBL returned an A record, the value for that key will be the IP address in the A record - typically 127.0.0.1 - 127.0.0.4. If the RBL returned a CNAME, the value will be the hostname, typically used for a comment on why the IP address is listed. =item txt_hash() Return a hash (or a reference to that hash if called in a scalar context) whose keys are the RBL's which block the specified IP, represented as in C. If the RBL returned TXT records containing additional information, the value will contain this information (several TXT records from one RBL will be joined by semicolons, but this should not happen), if not, it will be L. =back =head1 AUTHOR Asher Blum EFE =head1 CREDITS Martin H. Sluka EFE =head1 COPYRIGHT Copyright (C) 2002 Asher Blum. All rights reserved. This code is free software; you can redistribute it and/or modify it under the same terms as Perl itself. =cut 1; RBLCLient-0.5/Makefile.PL0100600000076500007650000000067610047031420014037 0ustar asherasheruse ExtUtils::MakeMaker; WriteMakefile( NAME => 'Net::RBLClient', VERSION_FROM => 'RBLClient.pm', PREREQ_PM => { IO::Socket => 0, Time::HiRes => 0, Net::DNS::Packet => 0, }, EXE_FILES => [ qw( spamalyze ) ], ($] >= 5.005 ? ('AUTHOR' => 'Asher Blum ', 'ABSTRACT' => 'Parallel RBL lookup client', ) : ()), ); RBLCLient-0.5/README0100600000076500007650000000025407510503777012761 0ustar asherasherThis module is used to discover what RBL's are listing a particular IP address. It parallelizes requests for fast response. INSTALL: perl Makefile.PL make make install RBLCLient-0.5/spamalyze0100700000076500007650000001301610047030250014006 0ustar asherasher#!/usr/bin/perl # program to analyze an mbox # and show how different RBL's would affect it. # Asher Blum Fri May 7 2004 # licensed under the same terms as Perl my $max_blockers_shown = 10; use strict; use Net::RBLClient; use Data::Dumper; my $rbl = Net::RBLClient->new( max_time => 5, max_hits => 8 ); my @messages; my %block_freq; my $msg = ''; #my %netblocks = read_netblocks('netblocks'); my %netblocks = ( '210.0.0.0/7' => 'APNIC-CIDR-BLK2', '217.0.0.0/8' => '217-RIPE', '64.51.0.0/16' => 'DSLNET-4', '63.68.128.0/20' => 'UU-63-68-128', '217.32.0.0/16' => 'UK-BT-20000920', '206.13.0.0/17' => 'PBI-NET', '200.128.0.0/9' => 'BRAZIL-BLK2', '66.95.0.0/16' => 'NASDSL-BLK2', '216.40.192.0/14' => 'EVRY-BLK-6', ); my %blocker_char; # character for each blocker my @blocker_chars = ( 'A' .. 'Z', 0 .. 9, 'a' .. 'z' ); while(<>) { if(/^From /) { handle_msg($msg); $msg = <>; } $msg .= $_; } my @blockers = sort {$block_freq{ $b } <=> $block_freq{ $a }} keys %block_freq; my $nblockers = @blockers; #print Dumper(\@blockers); exit 0; foreach my $message(@messages) { my $block_string = ''; for(0..$nblockers) { last if $_ >= $max_blockers_shown; $block_string .= $message->{ blockers }{ $blockers[ $_ ] } ? $blocker_chars[ $_ ] : '.'; } printf("%-15.15s %30.30s %s %-16.16s\n", $message->{ ip }, substr($message->{ hostname }, -30, 30), $block_string, $message->{ netblock }, ); } print "\n"; for(0..$nblockers) { printf "%s %-30.30s %6d\n", $blocker_chars[ $_ ], $blockers[ $_ ], $block_freq{ $blockers[ $_ ] }, } sub handle_msg { my $msg = shift or return undef; return undef if $msg =~ /From: root\@wildspark.com/; my($h, $b) = split /\n\n/, $msg; $h =~ s/\n\s+/ /g; if($h =~ /Received:.*\[(\d+\.\d+\.\d+\.\d+)\].*by/) { my $addr = $1; $rbl->lookup($addr); my @blockers = $rbl->listed_by; #printf "%-16.16s %s\n", $addr, $blockers; $block_freq{ $_ } ++ for @blockers; my $hostname = hostname($addr); push @messages, { ip => $addr, hostname => $hostname, blockers => { map(($_ => 1), @blockers) }, netblock => get_netblock($addr), }; #printf("%-16.16s %-16.16s %s\n", $addr, get_netblock($addr), $hostname); } else { #die" No match: $msg\n"; #warn "No match"; } } sub get_netblock { my $addr = shift; foreach my $n(keys %netblocks) { if(in_netblock($n, $addr)) { return $netblocks{ $n }; } } return "x"; foreach my $registry qw( arin apnic ripe ){ my $res = `whois $addr\@whois.arin.net`; return $1 if $res =~ /Netblock: (.+)/; } return "UNKNOWN"; } sub in_netblock { use Socket; my($cidr, $addr) = @_; #invoke with ('217.32.0.0/16', '128.222.123.0'); return undef unless $addr =~ /^(\d+)+\.(\d+)\.(\d+)\.(\d+)$/; my $n = pack('C4', $1, $2, $3, $4); return undef unless $cidr =~ m|^(\d+)+\.(\d+)\.(\d+)\.(\d+)/(\d+)$|; my $block = pack('C4', $1, $2, $3, $4); my $ones = $5; my $zeros = 32 - $ones; my $mask = pack('B32', '1' x $ones . '0' x $zeros); #print "mask=" . inet_ntoa($mask); exit; my $c1 = $block & $mask; my $c2 = $n & $mask; #print "c1=" . inet_ntoa($c1) . " c2=" . inet_ntoa($c2) . "\n"; return 1 if $c1 eq $c2; 0; } sub read_netblocks { my $fn = shift; open F, "$fn" or die "Can't open $fn: $!"; my %n; while() { next unless /(\S+)\s+(\S+)/; $n{ $1 } = $2; } close F; return %n; } sub hostname { my $address = shift; my ($name,$aliases,$addrtype,$length,@addrs); $name = 'TIMEOUT'; eval { alarm 1; local $SIG{ALRM} = sub { die "alarm\n" }; ($name,$aliases,$addrtype,$length,@addrs) = gethostbyaddr(inet_aton($address), AF_INET); alarm 0; }; $name; } __END__ =head1 NAME spamalyze - Apply multiple Realtime Blackhole Lists to all messages in an mbox =head1 SYNOPSIS spamalyze myspam.mbox spamalyze goodstuff.mbox tail -3000 some.mbox | spamalzse =head1 DESCRIPTION Spamalyze reads in an mbox file containing multiple mail messages and looks up the originating server of each message on multiple Realtime Blackhole Lists. Spamalyze uses L. Spamalyze lets you find out what the impact would be of filtering via various RBL's. The output report contains two sections. The first section has one line per email message, showing: =over 4 =item * Sending IP address =item * Sending hostname if any =item * Whether the IP is on a small list of possibly spammish netblocks =item * A list of letters representing RBL's which returned responses for this IP address =back The second section contains one line for each of the top RBL's. That is, the RBL's which produced the most hits. The RBL's are listed in decreasing order of hits. Each line contains: =over 4 =item * The letter assigned to the RBL - C is the one with the most hits =item * The domain name of the RBL =item * The number of hits from the RBL =back =head1 OPTIONS No options. =head1 SEE ALSO L =head1 AUTHOR Asher Blum EFE =head1 COPYRIGHT Copyright (C) 2004 Asher Blum. All rights reserved. This code is free software; you can redistribute it and/or modify it under the same terms as Perl itself. =cut