CJ Fearnley via plug on 26 Aug 2021 16:26:51 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[PLUG] my bash script to report rogue Microsoft 365 servers 

Today I wrote a script to report to Microsoft all the rogue Microsoft
365 servers that tried to send me e-mail yesterday. After a few days of
testing, I will add it to my crontab.

Maybe JP will find an idea here for his book.

This is a David versus Goliath effort: I need all the help I can get.

So, I welcome any advice to improve the script or to further shame
Microsoft for their despicable 365 e-mail server management practices.

I wrote three tweets to notify them publically of their problems:
https://twitter.com/cjfsyntropy/status/1430551812059373568
https://twitter.com/cjfsyntropy/status/1430926526242037764
https://twitter.com/cjfsyntropy/status/1431029781693452289

Maybe you can modify the script to report Microsoft's rogue 365 mail
servers to them. Just point LOGFILE to any (preferably recent) archive
you have of e-mails that come from 365. You will probably have to modify
the regexes to find the sending server IP address. Once you have that
part working, my script should "just work".

My script found these 8:
20210826 15:35: Bad DNS report to IOC@microsoft.com: 104.47.20.59 mail-cwlgbr01lp2059.outbound.protection.outlook.com. 2(SERVFAIL)
20210826 15:38: Bad DNS report to IOC@microsoft.com: 40.107.212.70 mail-bn1nam07on2070.outbound.protection.outlook.com. 40.93.25.70
20210826 15:42: Bad DNS report to IOC@microsoft.com: 40.107.236.62 mail-bn8nam11on2062.outbound.protection.outlook.com. 40.93.28.62
20210826 15:48: Bad DNS report to IOC@microsoft.com: 40.107.244.59 mail-mw2nam12on2059.outbound.protection.outlook.com. 40.93.38.59
20210826 15:55: Bad DNS report to IOC@microsoft.com: 40.107.3.125 mail-eopbgr30125.outbound.protection.outlook.com. 2(SERVFAIL)
20210826 16:03: Bad DNS report to IOC@microsoft.com: 40.107.91.47 mail-dm3gcc02on2047.outbound.protection.outlook.com. 40.93.19.47
20210826 16:13: Bad DNS report to IOC@microsoft.com: 40.107.93.81 mail-dm6nam10on2081.outbound.protection.outlook.com. 40.93.21.81
20210826 16:25: Bad DNS report to IOC@microsoft.com: 40.107.94.69 mail-mw2nam10on2069.outbound.protection.outlook.com. 40.93.22.69

Here is the script (I'll put this one in the public domain so that if
you are an e-mail admin at Google or something there will be no qualms
about taking my code and shaming Microsoft with it):

#!/bin/bash

LOGFILE="/var/log/exim4/mainlog.1"
BADDOMAIN="outbound.protection.outlook.com"
MYAUDITLOG="/home/lfcjf/CheckRevDNS.log"
SENDTO="IOC@microsoft.com"
DELAY=85
CNT=1
for host in $(grep 'Reverse DNS mismatch' $LOGFILE|grep $BADDOMAIN| \
   awk '{print $4}'|sed -e 's/\[//' -e 's/]//'|sort -u); do
  FOR=$(host $host|awk '{print $5}');
  for IP in $(host $FOR|awk '/has address/ {print $4} /not found/ {print $5}'); do
    # echo "DEBUG: Compare $host $FOR $IP";
    if [ "$FOR" = "3(NXDOMAIN)" ]; then
      IPREPORT="$host does not resolve (NXDOMAIN error)."
    else
      IPREPORT="$host resolves as $FOR
That, in turn, resolves as $IP

Notice that $host != $IP !!!"
    fi
    if [ "$host" != "$IP" ]; then
MESSAGE="Our mail server received a connection yesterday from $host which we
judged to be rogue because its reverse DNS did not match forward DNS.

Debug output:
$IPREPORT

To increase e-mail security, best practices stipulate that forward and
reverse DNS should match on mail servers.

For more information, please reference
https://www.linuxmagic.com/best_practices/check_ip_reverse_dns.html

Please fix your DNS records to comply with this Internet best practice."
      echo "$MESSAGE" | mail -s "Bad reverse DNS for $host" $SENDTO
      echo "$(date +'%Y%m%d %H:%M'): Bad DNS report to $SENDTO: $host $FOR $IP" >> $MYAUDITLOG
      CNT=$((CNT+1))
      # echo "sleep for $((CNT*DELAY))"
      sleep $((CNT*DELAY))
      break
    fi;
  done
done

-- 
CJ Fearnley                 |   LinuxForce Inc.
cjf@LinuxForce.net          |   Hosting and Linux Consulting
https://www.LinuxForce.net  |   https://blog.LinuxForce.net
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug