CJ Fearnley via plug on 26 Aug 2021 20:34:56 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] my bash script to report rogue Microsoft 365 servers 

Keith,

I'm talking about the processing of incoming e-mail. My server is
receiving e-mail connections from M$ 365 servers whose reverse DNS does
not match their forward DNS.

If you check your logs for mail from M$ 365 servers (look for
outbound.protection.outlook.com in the HELO or in the reverse DNS),
you will find a lot of brokenness.

Yesterday I fielded 29 e-mail connections from M$ 365 systems that
had working reverse DNS and 22 e-mail connections from M$ 365 systems
that had broken reverse DNS. So yesterday 43% of the mail connections
I received from M$ 365 systems had broken reverse DNS.

If you are rejecting connections from servers with failing reverse DNS,
then you might be blocking as much as half of M$ 365 e-mail.

I had to back off from my old policy of rejecting such mail. I'm pissed
that there is more spam in my INBOX and in my customer's INBOXes because
of rogue M$ 365 mail servers.

Please check your logs and let us know if your logs corroberate my
experience.

Let me know of any additional ideas to bring them into compliance.

This is one battle where we need David to defeat Goliath!

On Thu, Aug 26, 2021 at 07:53:18PM -0400, Keith C. Perry via plug wrote:
> I didn't know the problem was that bad.  Granted it is M$ but at the same time, DNS checks are the most basic thing that is done.
> 
> Question...  Aren't you already automatically blocking DNS mismatches to MX records?  I run Zimbra for my company and the blacklist functions take care of this.  While I might get phishing email, I don't get outright mismatches so I haven't had to think about it for a long time.
> 
> Am I misunderstanding what you are dealing with?
> 
> ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ 
> Keith C. Perry, MS E.E. 
> Managing Member, DAO Technologies LLC 
> (O) +1.215.525.4165 x2033 
> (M) +1.215.432.5167 
> www.daotechnologies.com
> 
> ----- Original Message -----
> From: "CJ Fearnley via plug" <plug@lists.phillylinux.org>
> To: "PLUG List" <plug@lists.phillylinux.org>
> Sent: Thursday, August 26, 2021 7:26:45 PM
> Subject: [PLUG] my bash script to report rogue Microsoft 365 servers
> 
> Today I wrote a script to report to Microsoft all the rogue Microsoft
> 365 servers that tried to send me e-mail yesterday. After a few days of
> testing, I will add it to my crontab.
> 
> Maybe JP will find an idea here for his book.
> 
> This is a David versus Goliath effort: I need all the help I can get.
> 
> So, I welcome any advice to improve the script or to further shame
> Microsoft for their despicable 365 e-mail server management practices.
> 
> I wrote three tweets to notify them publically of their problems:
> https://twitter.com/cjfsyntropy/status/1430551812059373568
> https://twitter.com/cjfsyntropy/status/1430926526242037764
> https://twitter.com/cjfsyntropy/status/1431029781693452289
> 
> Maybe you can modify the script to report Microsoft's rogue 365 mail
> servers to them. Just point LOGFILE to any (preferably recent) archive
> you have of e-mails that come from 365. You will probably have to modify
> the regexes to find the sending server IP address. Once you have that
> part working, my script should "just work".
> 
> My script found these 8:
> 20210826 15:35: Bad DNS report to IOC@microsoft.com: 104.47.20.59 mail-cwlgbr01lp2059.outbound.protection.outlook.com. 2(SERVFAIL)
> 20210826 15:38: Bad DNS report to IOC@microsoft.com: 40.107.212.70 mail-bn1nam07on2070.outbound.protection.outlook.com. 40.93.25.70
> 20210826 15:42: Bad DNS report to IOC@microsoft.com: 40.107.236.62 mail-bn8nam11on2062.outbound.protection.outlook.com. 40.93.28.62
> 20210826 15:48: Bad DNS report to IOC@microsoft.com: 40.107.244.59 mail-mw2nam12on2059.outbound.protection.outlook.com. 40.93.38.59
> 20210826 15:55: Bad DNS report to IOC@microsoft.com: 40.107.3.125 mail-eopbgr30125.outbound.protection.outlook.com. 2(SERVFAIL)
> 20210826 16:03: Bad DNS report to IOC@microsoft.com: 40.107.91.47 mail-dm3gcc02on2047.outbound.protection.outlook.com. 40.93.19.47
> 20210826 16:13: Bad DNS report to IOC@microsoft.com: 40.107.93.81 mail-dm6nam10on2081.outbound.protection.outlook.com. 40.93.21.81
> 20210826 16:25: Bad DNS report to IOC@microsoft.com: 40.107.94.69 mail-mw2nam10on2069.outbound.protection.outlook.com. 40.93.22.69
> 
> Here is the script (I'll put this one in the public domain so that if
> you are an e-mail admin at Google or something there will be no qualms
> about taking my code and shaming Microsoft with it):
> 
> #!/bin/bash
> 
> LOGFILE="/var/log/exim4/mainlog.1"
> BADDOMAIN="outbound.protection.outlook.com"
> MYAUDITLOG="/home/lfcjf/CheckRevDNS.log"
> SENDTO="IOC@microsoft.com"
> DELAY=85
> CNT=1
> for host in $(grep 'Reverse DNS mismatch' $LOGFILE|grep $BADDOMAIN| \
>    awk '{print $4}'|sed -e 's/\[//' -e 's/]//'|sort -u); do
>   FOR=$(host $host|awk '{print $5}');
>   for IP in $(host $FOR|awk '/has address/ {print $4} /not found/ {print $5}'); do
>     # echo "DEBUG: Compare $host $FOR $IP";
>     if [ "$FOR" = "3(NXDOMAIN)" ]; then
>       IPREPORT="$host does not resolve (NXDOMAIN error)."
>     else
>       IPREPORT="$host resolves as $FOR
> That, in turn, resolves as $IP
> 
> Notice that $host != $IP !!!"
>     fi
>     if [ "$host" != "$IP" ]; then
> MESSAGE="Our mail server received a connection yesterday from $host which we
> judged to be rogue because its reverse DNS did not match forward DNS.
> 
> Debug output:
> $IPREPORT
> 
> To increase e-mail security, best practices stipulate that forward and
> reverse DNS should match on mail servers.
> 
> For more information, please reference
> https://www.linuxmagic.com/best_practices/check_ip_reverse_dns.html
> 
> Please fix your DNS records to comply with this Internet best practice."
>       echo "$MESSAGE" | mail -s "Bad reverse DNS for $host" $SENDTO
>       echo "$(date +'%Y%m%d %H:%M'): Bad DNS report to $SENDTO: $host $FOR $IP" >> $MYAUDITLOG
>       CNT=$((CNT+1))
>       # echo "sleep for $((CNT*DELAY))"
>       sleep $((CNT*DELAY))
>       break
>     fi;
>   done
> done
> 
> -- 
> CJ Fearnley                 |   LinuxForce Inc.
> cjf@LinuxForce.net          |   Hosting and Linux Consulting
> https://www.LinuxForce.net  |   https://blog.LinuxForce.net
> ___________________________________________________________________________
> Philadelphia Linux Users Group         --        http://www.phillylinux.org
> Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
> General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug
> ___________________________________________________________________________
> Philadelphia Linux Users Group         --        http://www.phillylinux.org
> Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
> General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

-- 
CJ Fearnley                 |   LinuxForce Inc.
cjf@LinuxForce.net          |   Hosting and Linux Consulting
https://www.LinuxForce.net  |   https://blog.LinuxForce.net
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug