Keith C. Perry via plug on 26 Aug 2021 16:54:50 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] my bash script to report rogue Microsoft 365 servers 

I didn't know the problem was that bad.  Granted it is M$ but at the same time, DNS checks are the most basic thing that is done.

Question...  Aren't you already automatically blocking DNS mismatches to MX records?  I run Zimbra for my company and the blacklist functions take care of this.  While I might get phishing email, I don't get outright mismatches so I haven't had to think about it for a long time.

Am I misunderstanding what you are dealing with?

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ 
Keith C. Perry, MS E.E. 
Managing Member, DAO Technologies LLC 
(O) +1.215.525.4165 x2033 
(M) +1.215.432.5167 
www.daotechnologies.com

----- Original Message -----
From: "CJ Fearnley via plug" <plug@lists.phillylinux.org>
To: "PLUG List" <plug@lists.phillylinux.org>
Sent: Thursday, August 26, 2021 7:26:45 PM
Subject: [PLUG] my bash script to report rogue Microsoft 365 servers

Today I wrote a script to report to Microsoft all the rogue Microsoft
365 servers that tried to send me e-mail yesterday. After a few days of
testing, I will add it to my crontab.

Maybe JP will find an idea here for his book.

This is a David versus Goliath effort: I need all the help I can get.

So, I welcome any advice to improve the script or to further shame
Microsoft for their despicable 365 e-mail server management practices.

I wrote three tweets to notify them publically of their problems:
https://twitter.com/cjfsyntropy/status/1430551812059373568
https://twitter.com/cjfsyntropy/status/1430926526242037764
https://twitter.com/cjfsyntropy/status/1431029781693452289

Maybe you can modify the script to report Microsoft's rogue 365 mail
servers to them. Just point LOGFILE to any (preferably recent) archive
you have of e-mails that come from 365. You will probably have to modify
the regexes to find the sending server IP address. Once you have that
part working, my script should "just work".

My script found these 8:
20210826 15:35: Bad DNS report to IOC@microsoft.com: 104.47.20.59 mail-cwlgbr01lp2059.outbound.protection.outlook.com. 2(SERVFAIL)
20210826 15:38: Bad DNS report to IOC@microsoft.com: 40.107.212.70 mail-bn1nam07on2070.outbound.protection.outlook.com. 40.93.25.70
20210826 15:42: Bad DNS report to IOC@microsoft.com: 40.107.236.62 mail-bn8nam11on2062.outbound.protection.outlook.com. 40.93.28.62
20210826 15:48: Bad DNS report to IOC@microsoft.com: 40.107.244.59 mail-mw2nam12on2059.outbound.protection.outlook.com. 40.93.38.59
20210826 15:55: Bad DNS report to IOC@microsoft.com: 40.107.3.125 mail-eopbgr30125.outbound.protection.outlook.com. 2(SERVFAIL)
20210826 16:03: Bad DNS report to IOC@microsoft.com: 40.107.91.47 mail-dm3gcc02on2047.outbound.protection.outlook.com. 40.93.19.47
20210826 16:13: Bad DNS report to IOC@microsoft.com: 40.107.93.81 mail-dm6nam10on2081.outbound.protection.outlook.com. 40.93.21.81
20210826 16:25: Bad DNS report to IOC@microsoft.com: 40.107.94.69 mail-mw2nam10on2069.outbound.protection.outlook.com. 40.93.22.69

Here is the script (I'll put this one in the public domain so that if
you are an e-mail admin at Google or something there will be no qualms
about taking my code and shaming Microsoft with it):

#!/bin/bash

LOGFILE="/var/log/exim4/mainlog.1"
BADDOMAIN="outbound.protection.outlook.com"
MYAUDITLOG="/home/lfcjf/CheckRevDNS.log"
SENDTO="IOC@microsoft.com"
DELAY=85
CNT=1
for host in $(grep 'Reverse DNS mismatch' $LOGFILE|grep $BADDOMAIN| \
   awk '{print $4}'|sed -e 's/\[//' -e 's/]//'|sort -u); do
  FOR=$(host $host|awk '{print $5}');
  for IP in $(host $FOR|awk '/has address/ {print $4} /not found/ {print $5}'); do
    # echo "DEBUG: Compare $host $FOR $IP";
    if [ "$FOR" = "3(NXDOMAIN)" ]; then
      IPREPORT="$host does not resolve (NXDOMAIN error)."
    else
      IPREPORT="$host resolves as $FOR
That, in turn, resolves as $IP

Notice that $host != $IP !!!"
    fi
    if [ "$host" != "$IP" ]; then
MESSAGE="Our mail server received a connection yesterday from $host which we
judged to be rogue because its reverse DNS did not match forward DNS.

Debug output:
$IPREPORT

To increase e-mail security, best practices stipulate that forward and
reverse DNS should match on mail servers.

For more information, please reference
https://www.linuxmagic.com/best_practices/check_ip_reverse_dns.html

Please fix your DNS records to comply with this Internet best practice."
      echo "$MESSAGE" | mail -s "Bad reverse DNS for $host" $SENDTO
      echo "$(date +'%Y%m%d %H:%M'): Bad DNS report to $SENDTO: $host $FOR $IP" >> $MYAUDITLOG
      CNT=$((CNT+1))
      # echo "sleep for $((CNT*DELAY))"
      sleep $((CNT*DELAY))
      break
    fi;
  done
done

-- 
CJ Fearnley                 |   LinuxForce Inc.
cjf@LinuxForce.net          |   Hosting and Linux Consulting
https://www.LinuxForce.net  |   https://blog.LinuxForce.net
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug