is_spammer.bash

Prerequisites

bash
version 2.05b or 3.00 (bash -version)
A version of bash which supports arrays. Array support is included by default bash configurations.
dig
version 9.x.x (dig $HOSTNAME, see first line of output)
A version of dig which supports the +short options. See: dig_wrappers.bash for details.

Optional Prerequisites

named
A local DNS caching program. Any flavor will do.
Do twice: dig $HOSTNAME
Check near bottom of output for: SERVER: 127.0.0.1#53
That means you have one running.

Optional Graphics Support

date
A standard *nix thing. (date -R)
dot
Program to convert graphic description file to a diagram. (dot -V)
A part of the Graph-Viz set of programs. See: GraphViz http://www.research.att.com/sw/tools/graphviz
dotty
A visual editor for graphic description files.
Also a part of the Graph-Viz set of programs.

Quick Start

In the same directory as the is_spammer.bash script;
Do: ./is_spammer.bash

Usage Details

  1. Blacklist server choices.
    1. To use default, built-in list: Do nothing.
    2. To use your own list:
      1. Create a file with a single Blacklist server domain name per line.
      2. Provide that filename as the last argument to the script.
    3. To use a single Blacklist server: Last argument to the script.
    4. To disable Blacklist lookups:
      1. Create an empty file (touch spammer.nul)
        Your choice of filename.
      2. Provide the filename of that empty file as the last argument to the script.
  2. Search depth limit.
    1. To use the default value of 2: Do nothing.
    2. To set a different limit:
      A limit of 0 means: no limit.
      1. export SPAMMER_LIMIT=1
        or whatever limit you want.
      2. OR provide the desired limit as the first argument to the script.
  3. Optional execution trace log.
    1. To use the default setting of no log output: Do nothing.
    2. To write an execution trace log:
      export SPAMMER_TRACE=spammer.log
      or whatever filename you want.
  4. Optional graphic description file.
    1. To use the default setting of no graphic file: Do nothing.
    2. To write a Graph-Viz graphic description file:
      export SPAMMER_DATA=spammer.dot
      or whatever filename you want.
  5. Where to start the search.
    1. Starting with a single domain name:
      1. Without a command line search limit: First argument to script.
      2. With a command line search limit: Second argument to script.
    2. Starting with a single IP address:
      1. Without a command line search limit: First argument to script.
      2. With a command line search limit: Second argument to script.
    3. Starting with (mixed) multiple name(s) and/or address(es):
      Create a file with one name or address per line;
      Your choice of filename.
      1. Without a command line search limit: Filename as first argument to script.
      2. With a command line search limit: Filename as second argument to script.
  6. What to do with the display output.
    1. To view display output on screen: Do nothing.
    2. To save display output to a file: Redirect std-out to a filename.
    3. To discard display output: Redirect std-out to /dev/null.
  7. Temporary end of decision making.
    press return
    wait (optionally, watch the dots and colons).
  8. Optionally check the return code.
    1. Return code 0: All OK
    2. Return code 1: Script setup failure
    3. Return code 2: Something was blacklisted.
  9. Where is my graph (diagram)?
The script does not directly produce a graph (diagram). It only produces a graphic description file. You can process the graphic descriptor file that was output with the 'dot' program.
Until you edit that descriptor file, to describe the relationships you want shown, all that you will get is a bunch of labeled name and address nodes.
All of the script's discovered relationships are within a comment block in the graphic descriptor file, each with a descriptive heading.
The editing required to draw a line between a pair of nodes from the information in the descriptor file may be done with a text editor.
Given these lines somewhere in the descriptor file:
# Known domain name nodes
N0000 [label="guardproof.info."] ;
N0002 [label="third.guardproof.info."] ;
# Known address nodes
A0000 [label="61.141.32.197"] ;
/*
# Known name->address edges
NA0000 third.guardproof.info. 61.141.32.197
# Known parent->child edges
PC0000 guardproof.info. third.guardproof.info.
 */
Turn that into the following lines by substituting node identifiers into the relationships:
# Known domain name nodes
N0000 [label="guardproof.info."] ;
N0002 [label="third.guardproof.info."] ;
# Known address nodes
A0000 [label="61.141.32.197"] ;
# PC0000 guardproof.info. third.guardproof.info.
N0000->N0002 ;
# NA0000 third.guardproof.info. 61.141.32.197
N0002->A0000 ;
/*
# Known name->address edges
NA0000 third.guardproof.info. 61.141.32.197
# Known parent->child edges
PC0000 guardproof.info. third.guardproof.info.
 */
Process that with the 'dot' program and you have your first network diagram.
In addition to the conventional graphic edges, the descriptor file includes similar format pair-data that describes services, zone records (sub-graphs?), blacklisted addresses, and other things which might be interesting to include in your graph. This additional information could be displayed as different node shapes, colors, line sizes, etc.
The descriptor file can also be read and edited by a bash script (of course). You should be able to find most of the functions required within the is_spammer.bash script.

File translated from TEX by TTH, version 3.60.
On 28 Sep 2004, 12:41.