\n"; $output .= "\n"; $output .= "\n"; $output .= "\n"; $output .= "\n"; $output .= "\n"; $output .= "\n"; $output .= ""; $output .= ""; } function dec2bin($number) { $binval=""; while ($number>0) { $remainder=$number%2; $binval = $remainder.$binval; $number=floor($number/2); } return $binval; } function oct2bin($number) { $binval=""; for ($i=0; $i 8) { $num = substr($num, strlen($num)-8); } for ($j=strlen($num); $j<8; $j++) { $num = "0".$num; } $temp = $temp.$num; } else if (substr($digits[$i], 0, 1) == "0") { // We must have octal $num = oct2bin(substr($digits[$i], 1)); // Adjust to 8 bin digits per dotted number if (strlen($num) > 8) { $num = substr($num, strlen($num)-8); } for ($j=strlen($num); $j<8; $j++) { $num = "0".$num; } $temp = $temp.$num; } else { // Let's assume it's decimal $num = dec2bin($digits[$i]); // Adjust to 8 bin digits per dotted number if (strlen($num) > 8) { $num = substr($num, strlen($num)-8); } for ($j=strlen($num); $j<8; $j++) { $num = "0".$num; } $temp = $temp.$num; } } debug("IP is now ".$temp); return $temp; } function bin2DottedDec($number) { debug("Transforming ip ".$number." into dotted decimal format"); $val = ""; $i=8; while ($i<=strlen($number)) { $num = substr($number, strlen($number)-$i, 8); $num = BinDec($num); if ($val != "") { $val = ".".$val; } $val = $num.$val; $i=$i+8; } debug("IP is now ".$val); return $val; } function process_ip($domain) { debug("Processing domain ".$domain); // Sometimes they encode their ip addresses to confuse us // Ok problem: rawurldecode goes to valhalla when the url is not properly encoded. Try for example to decode "61.=" debug("Removing urlencodage from ".$domain); $temp=rawurldecode($domain); // Now remove the username and password rubbish debug("Removing login and password from ".$temp); if (strpos($temp, "@")) { $temp = substr($temp, strpos($temp, "@")+1); } debug("Domain is now ".$temp); // Now check if this is a non ip domain and if it is an ip domain, convert it to a suitable format // Converts things like: 3569055659, 0324.0273.0167.0253, 0xD4.0xBB.0x77.0xAB, 0xd4bb77ab, or 0324.0xbb.119.0253 if (strpos($temp, ".")) { $digits = explode(".", $temp); $allDigits = true; // Check whether the last part of the address is a number or not (then a valid TLD) $num = $digits[count($digits)-1]; if (substr($num, 0, 2) != "0x") { for ($i=0; $i=0;$i--) { $reversedip .= "$array[$i]."; } // strip the leading and trailing "." now $reversedip = str_replace(" ", "", (substr($reversedip,1,-1))); return $reversedip; } function addresslookup($domain) { global $output; global $config; $exit_code =0; $cached = false; $response = ""; $db2 = new myDB($config["sqlserver"], $config["sqluser"], $config["sqlpassword"], $config["sqldatabase"]); if ($db2) { $query = "select * from lookupcache where domain = '".addslashes($domain)."'"; $db2->setQuery($query); $r2 = $db2->executequery(); if ($r2 >0) { if ($db2->hasMoreElements()) { $row2 = $db2->nextElement(); if (($row2["time"] + $config["spam_cache_time"]) < time()) { $cached = false; // Needs to be updated } else { $cached = true; } } } $db2->close(); } if (($row2 != "") && ($cached)) { $command = "nslookup $domain"; $output .= "$command (checking ip [cache hit]) "; $temp = stripslashes($row2["response"]); $response = explode("\n", $temp); } else { $command = "nslookup $domain"; $output .= "$command (checking ip) "; unset($response); exec($command,$response,$exit_code); if ($exit_code != 0) { $output .= "
RC - ".$exit_code."\n"; } else if (!is_array($response)) { $response = explode("\n", $response); } } $cache_response = ""; if (($exit_code == 0) && ($response != "")) { for ($i=0;$i=2) { if (strstr($response[$i], "Address:")) { $resolved = str_replace("Address:","",$response[$i]); $resolved = str_replace(" ","",$resolved); if ($resolved == $config["dnsserver"]) { $resolved = ""; } } } } } if (!$cached) { $db2 = new myDB($config["sqlserver"], $config["sqluser"], $config["sqlpassword"], $config["sqldatabase"]); if ($db2) { $query = "delete from lookupcache where domain='".addslashes($domain)."'"; $db2->setQuery($query); $r2 = $db2->executequery(); $query = "insert into lookupcache (domain, response, time) values ('".addslashes($domain)."', '".addslashes($cache_response)."', ".time().")"; $db2->setQuery($query); $r2 = $db2->executequery(); $db2->close(); } } if ($resolved != "") { $output .= " = $resolved
\n"; return TRUE; } else { $output .= " not found
\n"; } } function lookup ($domain, $whois_server) { global $output; global $config; $exit_code =0; $cached = false; $response = ""; $cache_response = ""; $db2 = new myDB($config["sqlserver"], $config["sqluser"], $config["sqlpassword"], $config["sqldatabase"]); if ($db2) { $query = "select * from whoiscache where domain = '".addslashes("$domain@$whois_server")."'"; $db2->setQuery($query); $r2 = $db2->executequery(); if ($r2 >0) { if ($db2->hasMoreElements()) { $row2 = $db2->nextElement(); if (($row2["time"] + $config["spam_cache_time"]) < time()) { $cached = false; // Needs to be updated } else { $cached = true; } } } $db2->close(); } if (($row2 != "") && ($cached)) { $command = "whois $domain@$whois_server [cache hit]"; $temp = stripslashes($row2["response"]); $response = explode("\n", $temp); } else { $cache_response = ""; $command = "whois $domain@$whois_server"; $fp = fsockopen($whois_server, 43, &$errno, &$errstr, 10); if(!$fp) { $output .= "Could not open connection to $server on port 43.\n"; $output .= "$errstr ($errno)\n"; } else { fputs($fp,"$domain\r\n"); while(!feof($fp)) { $line = fgets($fp,128); if ($cache_response != "") { $cache_response .= "\n"; } $cache_response .= $line; } fclose($fp); } $response = explode("\n", $cache_response); } if ($response != "") { for ($i=0;$i$contact
\n"; break; } } } if ((!$cached) && ($cache_response != "")) { $db2 = new myDB($config["sqlserver"], $config["sqluser"], $config["sqlpassword"], $config["sqldatabase"]); if ($db2) { $query = "delete from whoiscache where domain='".addslashes("$domain@$whois_server")."'"; $db2->setQuery($query); $r2 = $db2->executequery(); $query = "insert into whoiscache (domain, response, time) values ('".addslashes("$domain@$whois_server")."', '".addslashes($cache_response)."', ".time().")"; $db2->setQuery($query); $r2 = $db2->executequery(); $db2->close(); } } if ($contact != "") { return $contact; } else { } } function iplookup($domain) { global $output; global $config; $exit_code =0; $cached = false; $response = ""; $db2 = new myDB($config["sqlserver"], $config["sqluser"], $config["sqlpassword"], $config["sqldatabase"]); if ($db2) { $query = "select * from lookupcache where domain = '".addslashes($domain)."'"; $db2->setQuery($query); $r2 = $db2->executequery(); if ($r2 >0) { if ($db2->hasMoreElements()) { $row2 = $db2->nextElement(); if (($row2["time"] + $config["spam_cache_time"]) < time()) { $cached = false; // Needs to be updated } else { $cached = true; } } } $db2->close(); } if (($row2 != "") && ($cached)) { $command = "nslookup $domain"; $output .= "$command (getting name [cache hit]) "; $temp = stripslashes($row2["response"]); $response = explode("\n", $temp); } else { $command = "nslookup $domain"; $output .= "$command (getting name) "; unset($response); exec($command,$response,$exit_code); if ($exit_code != 0) { $output .= "
RC - ".$exit_code."\n"; } else if (!is_array($response)) { $response = explode("\n", $response); } } $cache_response = ""; if (($exit_code == 0) && ($response != "")) { for ($i=0;$i=2) { if (strstr($response[$i], "Name:")) { $resolved = str_replace("Name:","",$response[$i]); $resolved = str_replace(" ","",$resolved); if ($resolved == $config["dnsserver"]) { $resolved = ""; } } } } } if (!$cached) { $db2 = new myDB($config["sqlserver"], $config["sqluser"], $config["sqlpassword"], $config["sqldatabase"]); if ($db2) { $query = "delete from lookupcache where domain='".addslashes($domain)."'"; $db2->setQuery($query); $r2 = $db2->executequery(); $query = "insert into lookupcache (domain, response, time) values ('".addslashes($domain)."', '".addslashes($cache_response)."', ".time().")"; $db2->setQuery($query); $r2 = $db2->executequery(); $db2->close(); } } if ($resolved != "") { $output .= " = $resolved
\n"; return $resolved; } else { $output .= " not found; discarding as fake
\n"; $output .= "Cannot find master for: $domain
\n"; } } function namelookup($domain) { global $output; global $config; $exit_code =0; $cached = false; $response = ""; $db2 = new myDB($config["sqlserver"], $config["sqluser"], $config["sqlpassword"], $config["sqldatabase"]); if ($db2) { $query = "select * from lookupcache where domain = '".addslashes($domain)."'"; $db2->setQuery($query); $r2 = $db2->executequery(); if ($r2 >0) { if ($db2->hasMoreElements()) { $row2 = $db2->nextElement(); if (($row2["time"] + $config["spam_cache_time"]) < time()) { $cached = false; // Needs to be updated } else { $cached = true; } } } $db2->close(); } if (($row2 != "") && ($cached)) { $command = "nslookup $domain"; $output .= "$command (getting ip [cache hit]) "; $temp = stripslashes($row2["response"]); $response = explode("\n", $temp); } else { $command = "nslookup $domain"; $output .= "$command (getting ip) "; unset($response); exec($command,$response,$exit_code); if ($exit_code != 0) { $output .= "
RC - ".$exit_code."\n"; } else if (!is_array($response)) { $response = explode("\n", $response); } } $cache_response = ""; if (($exit_code == 0) && ($response != "")) { for ($i=0;$i=2) { if (strstr($response[$i], "Address:")) { $resolved = str_replace("Address:","",$response[$i]); $resolved = str_replace(" ","",$resolved); if ($resolved == $config["dnsserver"]) { $resolved = ""; } } if (strstr($response[$i], "Addresses:")) { $resolved = strrchr(str_replace("Addresses:","",$response[$i])," "); $resolved = str_replace(" ","",$resolved); if ($resolved == $config["dnsserver"]) { $resolved = ""; } } } } } if (!$cached) { $db2 = new myDB($config["sqlserver"], $config["sqluser"], $config["sqlpassword"], $config["sqldatabase"]); if ($db2) { $query = "delete from lookupcache where domain='".addslashes($domain)."'"; $db2->setQuery($query); $r2 = $db2->executequery(); $query = "insert into lookupcache (domain, response, time) values ('".addslashes($domain)."', '".addslashes($cache_response)."', ".time().")"; $db2->setQuery($query); $r2 = $db2->executequery(); $db2->close(); } } if ($resolved != "") { $output .= " = $resolved
\n"; return $resolved; } else { $output .= " not found; discarding as fake
\n"; $output .= "Cannot find master for: $domain
\n"; } } function valid_email ($email) { if (eregi("^[0-9a-z]([-_.]?[0-9a-z])*@[0-9a-z]([-.]?[0-9a-z])*\\.[a-z]{2,3}$",$email, $check)) { if ( getmxrr(substr(strstr($check[0], '@'),1),$validate_email_temp)) { return TRUE; } } } function valid_ip ($ip) { // if no alpha chars, assume it is a numeric address if ( ereg( "([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})" , $ip, $regs)) { return TRUE; } return FALSE; } function getdomainname($domain) { global $output; global $config; $exit_code =0; $cached = false; $response = ""; $cache_response = ""; $db2 = new myDB($config["sqlserver"], $config["sqluser"], $config["sqlpassword"], $config["sqldatabase"]); if ($db2) { $query = "select * from domainnamecache where domain = '".addslashes($domain)."'"; $db2->setQuery($query); $r2 = $db2->executequery(); if ($r2 >0) { if ($db2->hasMoreElements()) { $row2 = $db2->nextElement(); if (($row2["time"] + $config["spam_cache_time"]) < time()) { $cached = false; // Needs to be updated } else { $cached = true; } } } $db2->close(); } if (($row2 != "") && ($cached)) { $output .= "[cache hit] "; $temp = stripslashes($row2["response"]); $response = explode("\n", $temp); } else { $cache_response = ""; // first get the domain server from internic $fp = fsockopen("rs.internic.net", 43, &$errno, &$errstr,10); if(!$fp) { $output .= "$errstr ($errno)\n"; } else { fputs($fp,"$domain\r\n"); while(!feof($fp)) { $buf = fgets($fp,128); if (ereg("Whois Server:", $buf)) { $server = str_replace("Whois Server: ", "", $buf); $server = trim($server); } } fclose($fp); } if ($server) { $output .= "$domain is registered at $server:
\n"; $fp = fsockopen($server, 43, &$errno, &$errstr, 10); if(!$fp) { $output .= "Could not open connection to $server on port 43.\n"; $output .= "$errstr ($errno)\n"; } else { fputs($fp,"$domain\r\n"); while(!feof($fp)) { $line = fgets($fp,128); if ($cache_response != "" ) { $cache_response .= "\n"; } $cache_response .= $line; } fclose($fp); } } else { $output .= "$domain does not appear to be registered."; } $response = explode("\n", $cache_response); } if ($response != "") { for ($i=0;$isetQuery($query); $r2 = $db2->executequery(); $query = "insert into domainnamecache (domain, response, time) values ('".addslashes($domain)."', '".addslashes($cache_response)."', ".time().")"; $db2->setQuery($query); $r2 = $db2->executequery(); $db2->close(); } } } function getnumericaddress($domain) { global $output; global $config; $output .= "Network number information from ARIN
\n"; $exit_code =0; $cached = false; $response = ""; $cache_response = ""; $db2 = new myDB($config["sqlserver"], $config["sqluser"], $config["sqlpassword"], $config["sqldatabase"]); if ($db2) { $query = "select * from numericaladdresscache where domain = '".addslashes($domain)."'"; $db2->setQuery($query); $r2 = $db2->executequery(); if ($r2 >0) { if ($db2->hasMoreElements()) { $row2 = $db2->nextElement(); if (($row2["time"] + $config["spam_cache_time"]) < time()) { $cached = false; // Needs to be updated } else { $cached = true; } } } $db2->close(); } if (($row2 != "") && ($cached)) { $output .= "[cache hit] "; $temp = stripslashes($row2["response"]); $response = explode("\n", $temp); } else { $cache_response = ""; $fp = fsockopen("whois.arin.net", 43, &$errno, &$errstr, 10); if(!$fp) { $output .= "Could not open connection to $server on port 43.\n"; $output .= "$errstr ($errno)\n"; } else { fputs($fp,"$domain\r\n"); while(!feof($fp)) { $line = fgets($fp,128); if ($cache_response != "" ) { $cache_response .= "\n"; } $cache_response .= $line; } fclose($fp); } $response = explode("\n", $cache_response); } if ((!$cached) && ($cache_response != "")) { $db2 = new myDB($config["sqlserver"], $config["sqluser"], $config["sqlpassword"], $config["sqldatabase"]); if ($db2) { $query = "delete from numericaladdresscache where domain='".addslashes($domain)."'"; $db2->setQuery($query); $r2 = $db2->executequery(); $query = "insert into numericaladdresscache (domain, response, time) values ('".addslashes($domain)."', '".addslashes($cache_response)."', ".time().")"; $db2->setQuery($query); $r2 = $db2->executequery(); $db2->close(); } } if ($response != "") { for ($i=0;$isetQuery($query); $r2 = $db2->executequery(); if ($r2 >0) { if ($db2->hasMoreElements()) { $row2 = $db2->nextElement(); if (($row2["time"] + $config["spam_cache_time"]) < time()) { $cached = false; // Needs to be updated } else { $cached = true; } } } $db2->close(); } if (($row2 != "") && ($cached)) { $temp = stripslashes($row2["response"]); $response = explode("\n", $temp); } else { $cache_response = ""; $fp = fsockopen($server, 43, &$errno, &$errstr, 10); if(!$fp) { $output .= "Could not open connection to $server on port 43.\n"; $output .= "$errstr ($errno)\n"; } else { $output .= "whois $domain@whois.ripe.net "; fputs($fp,"$domain\r\n"); while(!feof($fp)) { $line = fgets($fp,128); if ($cache_response != "" ) { $cache_response .= "\n"; } $cache_response .= $line; } fclose($fp); } $response = explode("\n", $cache_response); } if ((!$cached) && ($cache_response != "")) { $db2 = new myDB($config["sqlserver"], $config["sqluser"], $config["sqlpassword"], $config["sqldatabase"]); if ($db2) { $query = "delete from numericaladdresscache where domain='".addslashes($domain)."'"; $db2->setQuery($query); $r2 = $db2->executequery(); $query = "insert into numericaladdresscache (domain, response, time) values ('".addslashes($domain)."', '".addslashes($cache_response)."', ".time().")"; $db2->setQuery($query); $r2 = $db2->executequery(); $db2->close(); } } if ($response != "") { for ($i=0;$isetQuery($query); $r2 = $db2->executequery(); if ($r2 >0) { if ($db2->hasMoreElements()) { $row2 = $db2->nextElement(); if (($row2["time"] + $config["spam_cache_time"]) < time()) { $cached = false; // Needs to be updated } else { $cached = true; } } } $db2->close(); } if (($row2 != "") && ($cached)) { $output .= "[cache hit] "; $temp = stripslashes($row2["response"]); $response = explode("\n", $temp); } else { $cache_response = ""; $fp = fsockopen($server, 43, &$errno, &$errstr, 10); if(!$fp) { $output .= "Could not open connection to $server on port 43.\n"; $output .= "$errstr ($errno)\n"; } else { $output .= "whois $handle@whois.ripe.net "; fputs($fp,"$handle\r\n"); while(!feof($fp)) { $line = fgets($fp,128); if ($cache_response != "" ) { $cache_response .= "\n"; } $cache_response .= $line; } fclose($fp); } $response = explode("\n", $cache_response); } if ((!$cached) && ($cache_response != "")) { $db2 = new myDB($config["sqlserver"], $config["sqluser"], $config["sqlpassword"], $config["sqldatabase"]); if ($db2) { $query = "delete from ripecontactcache where domain='".addslashes($domain)."'"; $db2->setQuery($query); $r2 = $db2->executequery(); $query = "insert into ripecontactcache (domain, response, time) values ('".addslashes($domain)."', '".addslashes($cache_response)."', ".time().")"; $db2->setQuery($query); $r2 = $db2->executequery(); $db2->close(); } } if ($response != "") { for ($i=0;$i$email
\n"; return $email; } } } } } function dig_lookup ($domain) { global $output; global $config; $soa_contact = ""; $cache_response = ""; $exit_code =0; $cached = false; $response = ""; $db2 = new myDB($config["sqlserver"], $config["sqluser"], $config["sqlpassword"], $config["sqldatabase"]); if ($db2) { $query = "select * from diglookupcache where domain = '".addslashes($domain)."'"; $db2->setQuery($query); $r2 = $db2->executequery(); if ($r2 >0) { if ($db2->hasMoreElements()) { $row2 = $db2->nextElement(); if (($row2["time"] + $config["spam_cache_time"]) < time()) { $cached = false; // Needs to be updated } else { $cached = true; } } } $db2->close(); } if (($row2 != "") && ($cached)) { $command = "dig -x $domain soa "; $output .= "$command(digging for Start of Authority [cache hit])"; $temp = stripslashes($row2["response"]); $response = explode("\n", $temp); } else { $command = "dig -x $domain soa "; $output .= "$command(digging for Start of Authority)"; unset($response); exec($command,$response,$exit_code); if ($exit_code != 0) { $output .= "- Not Found
\n"; } else if (!is_array($response)) { // $response = explode("\n", $response); } } if (($exit_code == 0) && ($response != "")) { for ($i=0; $i=0;$i--) { $contact = $tok[$i]; if ($fposition = strpos ($contact,".")) break; } $contact1 = substr($contact,0,$fposition++) . "@" . substr($contact,$fposition); $lposition = strrpos ($contact1,"."); $soa_contact = substr($contact1,0,$lposition); } if (!$cached) { $db2 = new myDB($config["sqlserver"], $config["sqluser"], $config["sqlpassword"], $config["sqldatabase"]); if ($db2) { $query = "delete from diglookupcache where domain='".addslashes($domain)."'"; $db2->setQuery($query); $r2 = $db2->executequery(); $query = "insert into diglookupcache (domain, response, time) values ('".addslashes($domain)."', '".addslashes($cache_response)."', ".time().")"; $db2->setQuery($query); $r2 = $db2->executequery(); $db2->close(); } } if ($soa_contact != "") { $output .= " - $soa_contact
\n"; return $soa_contact; } } function arin_lookup ($domain) { global $output; global $config; $exit_code =0; $cached = false; $response = ""; $cache_response = ""; $coordinator = ""; $db2 = new myDB($config["sqlserver"], $config["sqluser"], $config["sqlpassword"], $config["sqldatabase"]); if ($db2) { $query = "select * from arinlookupcache where domain = '".addslashes($domain)."'"; $db2->setQuery($query); $r2 = $db2->executequery(); if ($r2 >0) { if ($db2->hasMoreElements()) { $row2 = $db2->nextElement(); if (($row2["time"] + $config["spam_cache_time"]) < time()) { $cached = false; // Needs to be updated } else { $cached = true; } } } $db2->close(); } if (($row2 != "") && ($cached)) { $command = "whois $domain@whois.arin.net "; $temp = stripslashes($row2["response"]); $response = explode("\n", $temp); } else { $cache_response = ""; $command = "whois $domain@whois.arin.net "; $fp = fsockopen("whois.arin.net", 43, &$errno, &$errstr, 10); if(!$fp) { $output .= "Could not open connection to $server on port 43.\n"; $output .= "$errstr ($errno)\n"; } else { $output .= "$command"; fputs($fp,"$domain\r\n"); while(!feof($fp)) { $line = fgets($fp,128); if ($cache_response != "" ) { $cache_response .= "\n"; } $cache_response .= $line; } fclose($fp); } $response = explode("\n", $cache_response); } if ((!$cached) && ($cache_response != "")) { $db2 = new myDB($config["sqlserver"], $config["sqluser"], $config["sqlpassword"], $config["sqldatabase"]); if ($db2) { $query = "delete from arinlookupcache where domain='".addslashes($domain)."'"; $db2->setQuery($query); $r2 = $db2->executequery(); $query = "insert into arinlookupcache (domain, response, time) values ('".addslashes($domain)."', '".addslashes($cache_response)."', ".time().")"; $db2->setQuery($query); $r2 = $db2->executequery(); $db2->close(); } } if ($response != "") { for ($i=0;$i

Spam abuser v".$version."

"); $openRelays = ""; $nbOpenRelays = 0; $origin = ""; $nbOrigin = 0; $mailInMessage = ""; $nbMailInMessage = 0; $sitesInMessage = ""; $nbSitesInMessage = 0; $addresses = ""; $nbAddresses = 0; $emailAnalysed = ""; $wwwAnalysed = ""; function checkDomain($domain, &$suspicious, &$alreadyReported) { global $output; debug("Checking domain ".$domain); $contactInfo = ""; $domain = ltrim(chop($domain)); $output .= "

Tracking $domain:
"; if (valid_ip($domain)) { if (substr($domain, 0, 5) == "127.0") { $output .= "This is an intranet address, useless
"; } else if (substr($domain, 0, 3) == "10.") { $output .= "This is an intranet address, useless
"; } else if (substr($domain, 0, 2) == "0.") { $output .= "This address is obviously a fake, ignoring
"; } else { $ip = iplookup($domain); $pieces = explode(".",strrev($ip)); $host = strrev($pieces[0].".".$pieces[1]); $namelookup = namelookup($ip); if (trim($namelookup) == trim($domain)) { $output .= "paranoid reverse DNS passes, checking abuse.net records
\n"; $contacts = lookup($host,"whois.abuse.net"); } else { $output .= "paranoid reverse DNS DID NOT pass, treat this address with caution
\n"; $suspicious = TRUE; } // common functions once I get a standard format $name = dig_lookup($domain); if (!$name) { $last_dec_pos = strrpos ($domain, "."); $short_resolved = (substr($domain,0, $last_dec_pos)); $name = dig_lookup($short_resolved); if (!$name) { $name = arin_lookup($domain); $contacts = lookup($name,"whois.abuse.net"); } } elseif (stristr($name,"krnic.net")) { $name = lookup($domain, "whois.krnic.net"); } $reverseip = reverseip($domain); // $output .= "Checking MAPS... "; // $maps = addresslookup("$reverseip.rbl.maps.vix.com."); // $output .= "Checking ORBL... "; // $orbl = addresslookup("$reverseip.or.orbl.org."); $output .= "Checking ORBZ... "; $orbz = addresslookup("$reverseip.inputs.orbz.org."); $orbz = $orbz | addresslookup("$reverseip.outputs.orbz.org."); $output .= "Checking Spamcop... "; $spamcop = addresslookup("$reverseip.bl.spamcop.net."); $output .= "Checking ORDB... "; $ordb = addresslookup("$reverseip.relays.ordb.org."); $output .= "Checking black hole... "; $blackhole = addresslookup("$reverseip.blackholes.mail-abuse.org."); $output .= "Checking dialup abuse list... "; $dialupabuse = addresslookup("$reverseip.dialups.mail-abuse.org."); $output .= "Checking Spamhaus... "; $osirusoft = addresslookup("$reverseip.relays.osirusoft.com."); $output .= "Checking Dorkslayers blacklist... "; $dorkslayers = addresslookup("$reverseip.orbs.dorkslayers.com."); $output .= "

Statistics:
"; if ($dorkslayers | $spamcop | $maps | $orbl | $orbz | $ordb | $blackhole | $dialupabuse | $osirusoft) { $output .= "This is a known spam site, filters would catch this
\n"; $alreadyReported = TRUE; } if ($contacts || $name) { $output .= "Found abuse address: "; $output .= "$contacts "; $output .= "$name
"; $contactInfo = $contacts." ".$name; } } } debug("Found ".$contactInfo); return $contactInfo; } if ($op == "check") { $db2 = new myDB($config["sqlserver"], $config["sqluser"], $config["sqlpassword"], $config["sqldatabase"]); if ($db2) { $query = "select * from spamtracking where spamid = '".addslashes($spamid)."'"; $db2->setQuery($query); $r2 = $db2->executequery(); if ($r2 >0) { if ($db2->hasMoreElements()) { $row2 = $db2->nextElement(); $output .= "The analysis of the spam message that has been provided was performed on the ".date("d/m/Y H:i", $row2["time"]).". Here are the results:

\n"; $output .= stripslashes($row2["analysis"]); } } $replies = ""; // Check for existing replies $query = "select * from spamreplies where spamid = '".addslashes($spamid)."'"; $db2->setQuery($query); $r2 = $db2->executequery(); if ($r2 >0) { while ($db2->hasMoreElements()) { $row2 = $db2->nextElement(); $replies .= str_replace("\n", "
", stripslashes($row2["reply"]))."
\n
\n

\n
\n
\n"; } } if ($replies != "") { $output .= "This spam report has received the following replies:
\n
\n".$replies; } $db2->close(); } } else if ($op == "analyse") { $alreadyanalysed = FALSE; $db2 = new myDB($config["sqlserver"], $config["sqluser"], $config["sqlpassword"], $config["sqldatabase"]); if ($db2) { $spamid = md5($message); $query = "select * from spamtracking where spamid = '".$spamid."'"; $db2->setQuery($query); $r2 = $db2->executequery(); if ($r2 >0) { if ($db2->hasMoreElements()) { $row2 = $db2->nextElement(); $alreadyanalysed = TRUE; $output .= "This message has already been analysed on the ".date("d/m/Y H:i", $row2["time"]).". You can find the results of the analysis here: ".propagateAttributes($config["httpbase"]."spamabuser.php3?op=check&spamid=".$spamid).".
"; } } $db2->close(); } if (!$alreadyanalysed) { $header = ""; $nbHeaderLines = 0; $lines = explode("\n", $message); $passedHeader = FALSE; $output .= "

Reading email
"; $spamid = md5($message); for ($i=0; $i"; if ($messageidPassed) { $address[$nbAddresses]["suspicious"] = TRUE; } else { $address[$nbAddresses]["suspicious"] = FALSE; } $nbHeaderLines++; $nbAddresses++; } } if ((eregi("@", $lines[$i]) && eregi("From:", $lines[$i])) || (eregi("@", $lines[$i]) && eregi("Return-Path:", $lines[$i]))) { // Extracts email address $words = split("[ ,/(){}\"<>:;\!\?]", $lines[$i]); for ($j=0; $j"; $nbOrigin++; } } } if (eregi("@", $lines[$i]) && ($headerPassed == TRUE) && !eregi("Message-Id:", $lines[$i])) { // Extracts email address $words = split("[ ,/(){}\"<>:;\!\?]", $lines[$i]); for ($j=0; $j"; $nbMailInMessage++; } } } if (eregi("http:", $lines[$i])) { // Extracts web address $words = split("[ ,/(){}\"<>:;\!\?]", $lines[$i]); for ($j=0; $j"; $nbSitesInMessage++; } } } if (eregi("Message-id:", $lines[$i])) { $messageidPassed = TRUE; } if (ltrim(Chop($lines[$i])) == "") { $headerPassed = TRUE; } } } $output .= "
Now checking email addresses from which the spam seems to originate.
"; for ($i=0; $i<$nbOrigin; $i++) { $email = $origin[$i]["email"]; $domain = substr($email, strpos($email, "@")+1); $site = $domain; if (($emailAnalysed[$domain]["domain"] != $domain) && ($domain != "")) { $output .= "
Checking $domain
"; $emailAnalysed[$domain]["domain"] = $domain; $suspicious = FALSE; $alreadyReported = FALSE; if ($domain != "") { $mx = ""; if (getmxrr($domain, $mx)) { $contacts = ""; for ($j=0; $j"; $localcontacts = checkDomain(namelookup($mx[$j]), $suspicious, $alreadyReported); if (!eregi($localcontacts, $contacts)) { $contacts .= $localcontacts." "; } $output .= "
"; } } else { $output .= "No MX record available
"; $contacts = checkDomain(namelookup($domain), $suspicious, $alreadyReported); } if ($contacts != "") { $origin[$i]["contact"] = $contacts; if ($suspicious) { $origin[$i]["suspicious"] = TRUE; } if ($alreadyReported) { $origin[$i]["alreadyReported"] = TRUE; } $emailAnalysed[$site]["contact"] = $contacts; $emailAnalysed[$site]["suspicious"] = $suspicious; $emailAnalysed[$site]["alreadyReported"] = $alreadyReported; } } $output .= "
"; } else { $origin[$i]["contact"] = $emailAnalysed[$domain]["contact"]; $origin[$i]["suspicious"] = $emailAnalysed[$domain]["suspicious"]; $origin[$i]["alreadyReported"] = $emailAnalysed[$domain]["alreadyReported"]; } } $output .= "
Now checking server addresses found in the header.
"; for ($i=0; $i<$nbAddresses; $i++) { $domain = $address[$i]["ip"]; if (($wwwAnalysed[$domain]["domain"] != $domain) && ($domain != "")) { $wwwAnalysed[$domain]["domain"] = $domain; $suspicious = FALSE; $alreadyReported = FALSE; $contacts = checkDomain($domain, $suspicious, $alreadyReported); if ($contacts != "") { if ($address[$i]["suspicious"]) { $suspicious = TRUE; $output .= "Received line appears after end of headers, suspicious, could be fake chain
"; } $openRelays[$nbOpenRelays]["ip"] = $domain; $openRelays[$nbOpenRelays]["contact"] = $contacts; if ($suspicious) { $openRelays[$nbOpenRelays]["suspicious"] = TRUE; } if ($alreadyReported) { $openRelays[$nbOpenRelays]["alreadyReported"] = TRUE; } $wwwAnalysed[$domain]["contact"] = $contacts; $wwwAnalysed[$domain]["suspicious"] = $suspicious; $wwwAnalysed[$domain]["alreadyReported"] = $alreadyReported; $nbOpenRelays++; } $output .= "
"; } else { } } $output .= "
Now checking email addresses found in the message.
"; for ($i=0; $i<$nbMailInMessage; $i++) { $email = $mailInMessage[$i]["email"]; $domain = substr($email, strpos($email, "@")+1); if (($emailAnalysed[$domain]["domain"] != $domain) && ($domain != "")) { $output .= "
Checking $domain
"; $emailAnalysed[$domain]["domain"] = $domain; $suspicious = FALSE; $alreadyReported = FALSE; if ($domain != "") { $mx = ""; if (getmxrr($domain, $mx)) { $contacts = ""; for ($j=0; $j"; $localcontacts = checkDomain(namelookup($mx[$j]), $suspicious, $alreadyReported)." "; if (!eregi($localcontacts, $contacts)) { $contacts .= $localcontacts." "; } $output .= "
"; } } else { $output .= "No MX record available
"; $contacts = checkDomain(namelookup($domain), $suspicious, $alreadyReported); } if ($contacts != "") { $mailInMessage[$i]["contact"] = $contacts; if ($suspicious) { $mailInMessage[$i]["suspicious"] = TRUE; } if ($alreadyReported) { $mailInMessage[$i]["alreadyReported"] = TRUE; } $emailAnalysed[$domain]["domain"]["contact"] = $contacts; $emailAnalysed[$domain]["domain"]["suspicious"] = $suspicious; $emailAnalysed[$domain]["alreadyReported"] = $alreadyReported; } } $output .= "
"; } else { $mailInMessage[$i]["contact"] = $emailAnalysed[$domain]["contact"]; $mailInMessage[$i]["suspicious"] = $emailAnalysed[$domain]["suspicious"]; $mailInMessage[$i]["alreadyReported"] = $emailAnalysed[$domain]["alreadyReported"]; } } $output .= "
Now checking web sites addresses found in the message.
"; for ($i=0; $i<$nbSitesInMessage; $i++) { $site = $sitesInMessage[$i]["site"]; $domain = $site; $properDomain = process_ip($domain); if (($wwwAnalysed[$domain]["domain"] != $domain) && ($domain != "")) { $output .= "
Checking $domain
"; if ($domain != $properDomain) { $output .= "Spammer plays clever or this is random stuff: proper domain is ".$properDomain."
\n"; } $wwwAnalysed[$domain]["domain"] = $domain; $domain = namelookup($properDomain); $suspicious = FALSE; $alreadyReported = FALSE; if ($domain != "") { $contacts = checkDomain($domain, $suspicious, $alreadyReported); if ($contacts != "") { $sitesInMessage[$i]["contact"] = $contacts; if ($suspicious) { $sitesInMessage[$i]["suspicious"] = TRUE; } if ($alreadyReported) { $sitesInMessage[$i]["alreadyReported"] = TRUE; } $wwwAnalysed[$site]["contact"] = $sitesInMessage[$i]["contact"]; $wwwAnalysed[$site]["suspicious"] = $sitesInMessage[$i]["suspicious"]; $wwwAnalysed[$site]["alreadyReported"] = $alreadyReported; } } $output .= "
"; } else { $sitesInMessage[$i]["contact"] = $wwwAnalysed[$domain]["contact"]; $sitesInMessage[$i]["suspicious"] = $wwwAnalysed[$domain]["suspicious"]; $sitesInMessage[$i]["alreadyReported"] = $wwwAnalysed[$domain]["alreadyReported"]; } } $domain = ""; $output .= "

Summary:
"; if ($nbOrigin >0) { $output .= "Email address(es) from which the spam seems to originate (this is usually fake, you might want to ignore):
"; for ($i=0; $i<$nbOrigin; $i++) { if ($origin[$i]["contact"] != "") { $output .= $origin[$i]["email"].", contact "; $mails = explode(" ", $origin[$i]["contact"]); $recipients = ""; for ($j=0; $j".$mails[$j]." "; if ($recipients != "") { $recipients .= ","; } $recipients .= $mails[$j]; } } if ($origin[$i]["suspicious"]) { $output .= " [suspicious]"; } if ($origin[$i]["alreadyReported"]) { $output .= " [blacklisted] "; } if (($recipients != "") && ($sendmail)) { $output .= " ".printEmailLink($config["smtp_from"], $recipients, $subject, $emailheader.$message, $spamid); } } else { $output .= $origin[$i]["email"].", no satisfactory contact info found"; } $output .= "
\n"; } $output .= "
\n"; } if ($nbOpenRelays >0) { $output .= "Site(s) with open relay:
"; for ($i=0; $i<$nbOpenRelays; $i++) { $output .= $openRelays[$i]["ip"].", contact "; $mails = explode(" ", $openRelays[$i]["contact"]); $recipients = ""; for ($j=0; $j".$mails[$j]." "; } if ($recipients != "") { $recipients .= ","; } $recipients .= $mails[$j]; } if ($openRelays[$i]["suspicious"]) { $output .= " [suspicious]"; } if ($openRelays[$i]["alreadyReported"]) { $output .= " [blacklisted]"; } if (($recipients != "") && ($sendmail)) { $output .= " ".printEmailLink($config["smtp_from"], $recipients, $subject, $emailheader.$message, $spamid); } $output .= "
\n"; } $output .= "
\n"; } if ($nbMailInMessage >0) { $output .= "Email address(es) found in message:
"; for ($i=0; $i<$nbMailInMessage; $i++) { if ($mailInMessage[$i]["contact"] != "") { $output .= $mailInMessage[$i]["email"].", contact "; $mails = explode(" ", $mailInMessage[$i]["contact"]); $recipients = ""; for ($j=0; $j".$mails[$j]." "; } if ($recipients != "") { $recipients .= ","; } $recipients .= $mails[$j]; } if ($mailInMessage[$i]["suspicious"]) { $output .= " [suspicious]"; } if ($mailInMessage[$i]["alreadyReported"]) { $output .= " [blacklisted]"; } if (($recipients != "") && ($sendmail)) { $output .= " ".printEmailLink($config["smtp_from"], $recipients, $subject, $emailheader.$message, $spamid); } } else { $output .= $mailInMessage[$i]["email"].", no satisfactory contact info found"; } $output .= "
\n"; } $output .= "
\n"; } if ($nbSitesInMessage >0) { $output .= "Site(s) found in message:
"; for ($i=0; $i<$nbSitesInMessage; $i++) { if ($sitesInMessage[$i]["contact"] != "") { $output .= $sitesInMessage[$i]["site"].", contact "; $mails = explode(" ", $sitesInMessage[$i]["contact"]); $recipients = ""; for ($j=0; $j".$mails[$j]." "; } if ($recipients != "") { $recipients .= ","; } $recipients .= $mails[$j]; } if ($sitesInMessage[$i]["suspicious"]) { $output .= " [suspicious]"; } if ($sitesInMessage[$i]["alreadyReported"]) { $output .= " [blacklisted]"; } if (($recipients != "") && ($sendmail)) { $output .= " ".printEmailLink($config["smtp_from"], $recipients, $subject, $emailheader.$message, $spamid); } } else { $output .= $sitesInMessage[$i]["site"].", no satisfactory contact info found"; } $output .= "
\n"; } $output .= "
\n"; } if ($tracking) { $db2 = new myDB($config["sqlserver"], $config["sqluser"], $config["sqlpassword"], $config["sqldatabase"]); if ($db2) { $query = "INSERT into spamtracking (spamid, spam, analysis, time) VALUES ('".$spamid."', '".addslashes($message)."', '".addslashes($output)."', ".time().")"; $db2->setQuery($query); $r2 = $db2->executequery(); $db2->close(); } } $output .= "

You can access this analysis again at any time by following this link: ".propagateAttributes($config["httpbase"]."spamabuser.php3?op=check&spamid=".$spamid).".
"; $output .= "

You can now select the addresses relevant to the spam message and send a complaint to the corresponding contact address. If you do so, do not forget to send a copy of the spam message with all headers to allow system administrators to analyse the spam themselves.
"; $output .= "Note that in the summary, addresses marked as \"suspicious\" should not be used as a complaint recipient unless you are sure of what you do. Addresses marked as \"blacklisted\" already appear in blocking lists, therefore do not need to be reported again.

"; $output .= "ATTENTION: Report only email addresses and web sites which you think are used by the spammer. If you are unsure, do not send any complaint to system administrators. Please do not waste their time if this is not spam. The last thing we want is for administrators to stop taking these spam reports seriously.
"; } } else if ($op=="sendmail") { // This is not very secure. A better technique should be used. if (substr($HTTP_REFERER, 0, strlen($config["httpbase"]."spamabuser.php3")) == $config["httpbase"]."spamabuser.php3") { sendmail($from, $to, $subject, $body); print("Email to ".$to." has been sent"); } else { print("Illegal operation.
\n"); } } print($output); ?> \n"); ?> \n"); ?> \n"); ?> Abuse Contact Tracker:
Paste a spam email: full headers, empty line, then body of the message

Disclaimer: this facility is experimental and is being tested. Although all care was taken in oder to produce accurate results, it is possible that some spam analysis result in the wrong contact addresses to be fetched.

"); printBottom(); ?>