My previous article outlined two solutions against the recent spam breakout: blacklisting your own domain and using SPF. This article will introduce a third one: an External Agent for ORF. If you are not interested in the mechanics of a simple External Agent, here is a direct link for the package download (then follow instructions of readme.txt). If you stay with me, I will show you how you can extend ORF by scripts.
The agent we need is not particularly algorithm-heavy, all we need is to compare the sender address to the recipient address. If they match, we have self-sending spam. If they don’t, it’s not self-sending spam.
ORF can pass the addresses as command-line parameters, wait for the script and assuming exit code 1 means a hit, blacklist the email on exit code 1.
So let’s see how our script looks like in VBScript:
If WScript.Arguments.length = 2 Then
‘ get sender and recipient list parameters
strSender = WScript.Arguments(0)
strRecipientList = WScript.Arguments(1)
‘ compare sender to the recipient list – if they match, we have a hit
If StrComp(strSender, strRecipientList, vbTextCompare) = 0 Then
WScript.Echo “Sender and recipient addresses are the same.”
exitCode = 1 ‘ exit code 1 means hit
WScript.Echo “Sender and recipient addresses are different.”
‘ we got less or more than two parameters
WScript.Echo “Invalid number of parameters.”
exitCode = 255 ‘ exit code 255 means error
‘ set exit code
if (WScript.Arguments.length == 2)
// get sender + recipient list parameters and convert them to
// lowercase for case-insensitive comparison
var strSender = new String(WScript.Arguments(0)).toLowerCase();
var strRecipientList = new String(WScript.Arguments(1)).toLowerCase();
// compare sender to the recipient list – if they match, we have a hit
if (strSender == strRecipientList)
WScript.Echo(“Sender and recipient addresses are the same.”);
exitCode = 1; // exit code 1 means hit
WScript.Echo(‘Sender and recipient addresses are different.’);
// we got less or more than two parameters
WScript.Echo(“Invalid number of parameters.”);
exitCode = 255; // exit code 255 means error
// set exit code
We can invoke these scripts using “cscript” (part of WSH) as
When testing from command-line, “echo %ERRORLEVEL%” will tell the (last) exit code.
To turn this whole thing into an External Agent, we create a new agent definition. On the Run tab, point the Agent Executable field to C:\Windows\System32\cscript.exe (make sure the file is there) and in the Parameters box enter
On the exit codes tab, add a new action for exit code 1.
And that’s all, we have a working External Agent.
Pingback: Vamsoft Insider » Self-Sending Spam
Pingback: Self-Sending Spam 2. | The Black Ball
Thanks a lot. I really appreciate you taking time to post this agent.
Wish you and the team a Hapy New Year.
I’m sorry to report that after putting the Agent we were receiving several reports of false positives. We’re going to check the logs and the agent logic as well to understand what’s causing it.
Thanks. False positives may occur if the sender and the recipients are the same. The only legitimate – though quite strange – case is if users are sending emails to themselves *and* these emails get routed to SMTP. Now if that’s the case, there is no way you can use this agent.
Anyway, just wanted to add that the agent is OK. In the agent definition, the path to the script contained whitespace, but was not enclosed in double quotes. This caused cscript to interpret the script file spec as multiple parameters -> script was not found -> cscript returned exit code 1 -> exit code 1 from the script indicates spam -> ORF blacklisted the emails.
So if there are spaces in the path name where you put your script file, make sure to specify it as “C:\My Folder\selfspam.js”, instead of just C:\My Folder\selfspam.js.
the script works fine but i get if sender and recipient are same exit code 0.
If the are different i get exit code 1 .
Any idea ?
Rene, that is actually the expected behaviour, 0 for no hit, 1 for hit.