From 8e8f7b4d5325df20b2b3e27a55580146f81773a8 Mon Sep 17 00:00:00 2001 From: nico Date: Wed, 15 May 2019 10:45:23 +0200 Subject: makeshift abusereport generator script + add temporary abusereport generator script --- .gitignore | 2 +- abusereport-domain.sh | 102 ++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 103 insertions(+), 1 deletion(-) create mode 100755 abusereport-domain.sh diff --git a/.gitignore b/.gitignore index d99bddd..c17170a 100755 --- a/.gitignore +++ b/.gitignore @@ -129,5 +129,5 @@ pip-selfcheck.json # do not index databases or logfiles *.log *.db -abuse* +abuse-* spam* diff --git a/abusereport-domain.sh b/abusereport-domain.sh new file mode 100755 index 0000000..91590db --- /dev/null +++ b/abusereport-domain.sh @@ -0,0 +1,102 @@ +#!/bin/sh +# +# This script will generate an abuse report based on data stored in spam.db +# for a supplied XMPP domain. +# +# The report will contain: +# +# - the abuse contact for the server IP +# - a form letter with evidence +# - an attachment with the bot JIDs +# - an attachment with the top 10 most often message body values + +domain=$1 + +[ -z "$domain" ] && { + sqlite3 -column -header spam.db "SELECT COUNT(*) AS messages,COUNT(DISTINCT user) AS bots,domain AS 'domain' FROM spam GROUP BY domain ORDER BY 1 DESC LIMIT 10" + return +} + +date=$(date +%F) + +srv=$( ( dig +short SRV "_xmpp-client._tcp.$domain" | grep . || echo "0 0 5222 $domain" ) | sort -n | sed -e 's/[[:digit:]]\+[[:space:]]\+//g' -e 's/\.$//') +ips=$domain +if [ "$srv" ] ; then + # resolve the XMPP server, filter out host names (CNAMEs), + # aggregate into one line + ips=$(dig +short $srv | grep -v '\.$' | tr '\n' ' ') + + for ip in $ips ; do + whois=$(whois -b $ip | grep -v '^%'|grep -v '^$') + abuse=$(echo "$whois"|awk '/^abuse-mailbox:/ {print $2}') + done +fi + +SUBJECT="XMPP spam report for $domain / $ips" +SUMMARY=$(sqlite3 -column -header spam.db "SELECT COUNT(*) AS messages,COUNT(DISTINCT user) AS bots,domain FROM spam WHERE domain='$domain'") + + +cat < abuse-$date-$domain.txt + +LOGS=abuse-$date-$domain-logs.txt +JIDS=abuse-$date-$domain-JIDs.txt + +sqlite3 spam.db "SELECT char(10)||MIN(ts)||' - '||MAX(ts)||char(10)||COUNT(*)||' messages:'||char(10)||'========================================================================'||char(10)||message||char(10)||'========================================================================' FROM spam WHERE domain='$domain' GROUP BY message ORDER BY COUNT(*) DESC LIMIT 10" > $LOGS + +# first / last record +echo "first seen:" $(sqlite3 spam.db "SELECT ts FROM spam WHERE domain='$domain' ORDER BY ts LIMIT 1") +echo "last seen:" $(sqlite3 spam.db "SELECT ts FROM spam WHERE domain='$domain' ORDER BY ts DESC LIMIT 1") + +# without number of messages +sqlite3 spam.db "SELECT user || '@' || domain as jid FROM spam WHERE domain='$domain' GROUP BY user ORDER BY 1" > $JIDS +# with number of messages +#sqlite3 spam.sqlite "SELECT COUNT(*),user || '@' || domain as jid FROM spam WHERE domain='$domain' GROUP BY user ORDER BY 2" + +echo $LOGS +echo $JIDS +#cat abuse-$date-$domain.txt + +#echo mutt $abuse -i abuse-$date-$domain.txt -s \"$SUBJECT\" -a $LOGS -a $JIDS -- cgit v1.2.3-54-g00ecf