mirror of
https://github.com/zeek/zeek.git
synced 2025-10-06 08:38:20 +00:00
23f04835c6
These functions are now deprecated in favor of alternative versions that return a vector of strings rather than a table of strings. Deprecated functions: - split: use split_string instead. - split1: use split_string1 instead. - split_all: use split_string_all instead. - split_n: use split_string_n instead. - cat_string_array: see join_string_vec instead. - cat_string_array_n: see join_string_vec instead. - join_string_array: see join_string_vec instead. - sort_string_array: use sort instead instead. - find_ip_addresses: use extract_ip_addresses instead. Changed functions: - has_valid_octets: uses a string_vec parameter instead of string_array. Addresses BIT-924, BIT-757.
62 lines
1.8 KiB
Text
62 lines
1.8 KiB
Text
##! Watch for various SPAM blocklist URLs in SMTP error messages.
|
|
|
|
@load base/protocols/smtp
|
|
|
|
module SMTP;
|
|
|
|
export {
|
|
redef enum Notice::Type += {
|
|
## An SMTP server sent a reply mentioning an SMTP block list.
|
|
Blocklist_Error_Message,
|
|
## The originator's address is seen in the block list error message.
|
|
## This is useful to detect local hosts sending SPAM with a high
|
|
## positive rate.
|
|
Blocklist_Blocked_Host,
|
|
};
|
|
|
|
# This matches content in SMTP error messages that indicate some
|
|
# block list doesn't like the connection/mail.
|
|
const blocklist_error_messages =
|
|
/spamhaus\.org\//
|
|
| /sophos\.com\/security\//
|
|
| /spamcop\.net\/bl/
|
|
| /cbl\.abuseat\.org\//
|
|
| /sorbs\.net\//
|
|
| /bsn\.borderware\.com\//
|
|
| /mail-abuse\.com\//
|
|
| /b\.barracudacentral\.com\//
|
|
| /psbl\.surriel\.com\//
|
|
| /antispam\.imp\.ch\//
|
|
| /dyndns\.com\/.*spam/
|
|
| /rbl\.knology\.net\//
|
|
| /intercept\.datapacket\.net\//
|
|
| /uceprotect\.net\//
|
|
| /hostkarma\.junkemailfilter\.com\// &redef;
|
|
|
|
}
|
|
|
|
event smtp_reply(c: connection, is_orig: bool, code: count, cmd: string,
|
|
msg: string, cont_resp: bool) &priority=3
|
|
{
|
|
if ( code >= 400 && code != 421 )
|
|
{
|
|
# Raise a notice when an SMTP error about a block list is discovered.
|
|
if ( blocklist_error_messages in msg )
|
|
{
|
|
local note = Blocklist_Error_Message;
|
|
local message = fmt("%s received an error message mentioning an SMTP block list", c$id$orig_h);
|
|
|
|
# Determine if the originator's IP address is in the message.
|
|
local ips = extract_ip_addresses(msg);
|
|
local text_ip = "";
|
|
if ( |ips| > 0 && to_addr(ips[0]) == c$id$orig_h )
|
|
{
|
|
note = Blocklist_Blocked_Host;
|
|
message = fmt("%s is on an SMTP block list", c$id$orig_h);
|
|
}
|
|
|
|
NOTICE([$note=note, $conn=c, $msg=message, $sub=msg,
|
|
$identifier=cat(c$id$orig_h)]);
|
|
}
|
|
}
|
|
}
|