My previous article outlined two solutions against the recent spam breakout: blacklisting your own domain and using SPF. This article will introduce a third one: an External Agent for ORF. If you are not interested in the mechanics of a simple External Agent, here is a direct link for the package download (then follow instructions of readme.txt). If you stay with me, I will show you how you can extend ORF by scripts.
External Agents are command-line programs that ORF starts with a few parameters, waits for them to finish and takes action based on the program exit code (a.k.a. “ERRORLEVEL” from the DOS times). Otherwise there is nothing special about them, so agents can be written in any programming language, from C++ to PHP. Thus, with the help of the Windows Scripting Host (WSH, shipped with Windows), you can make use of your existing VBScript or JavaScript knowledge for extending ORF.
The agent we need is not particularly algorithm-heavy, all we need is to compare the sender address to the recipient address. If they match, we have self-sending spam. If they don’t, it’s not self-sending spam.
ORF can pass the addresses as command-line parameters, wait for the script and assuming exit code 1 means a hit, blacklist the email on exit code 1.
So let’s see how our script looks like in VBScript:
If WScript.Arguments.length = 2 Then
‘ get sender and recipient list parameters
strSender = WScript.Arguments(0)
strRecipientList = WScript.Arguments(1)
‘ compare sender to the recipient list – if they match, we have a hit
If StrComp(strSender, strRecipientList, vbTextCompare) = 0 Then
WScript.Echo “Sender and recipient addresses are the same.”
exitCode = 1 ‘ exit code 1 means hit
Else
WScript.Echo “Sender and recipient addresses are different.”
End If
Else
‘ we got less or more than two parameters
WScript.Echo “Invalid number of parameters.”
exitCode = 255 ‘ exit code 255 means error
End If
‘ set exit code
WScript.Quit exitCode
Same stuff in JavaScript:
if (WScript.Arguments.length == 2)
{
// get sender + recipient list parameters and convert them to
// lowercase for case-insensitive comparison
var strSender = new String(WScript.Arguments(0)).toLowerCase();
var strRecipientList = new String(WScript.Arguments(1)).toLowerCase();
// compare sender to the recipient list – if they match, we have a hit
if (strSender == strRecipientList)
{
WScript.Echo(“Sender and recipient addresses are the same.”);
exitCode = 1; // exit code 1 means hit
}
else
{
WScript.Echo(‘Sender and recipient addresses are different.’);
}
}
else
{
// we got less or more than two parameters
WScript.Echo(“Invalid number of parameters.”);
exitCode = 255; // exit code 255 means error
}
// set exit code
WScript.Quit(exitCode);
We can invoke these scripts using “cscript” (part of WSH) as
When testing from command-line, “echo %ERRORLEVEL%” will tell the (last) exit code.
To turn this whole thing into an External Agent, we create a new agent definition. On the Run tab, point the Agent Executable field to C:\Windows\System32\cscript.exe (make sure the file is there) and in the Parameters box enter
On the exit codes tab, add a new action for exit code 1.
And that’s all, we have a working External Agent.
Pingback: Vamsoft Insider » Self-Sending Spam
Pingback: Self-Sending Spam 2. | The Black Ball
Hi Peter,
Thanks a lot. I really appreciate you taking time to post this agent.
Wish you and the team a Hapy New Year.
Best regards.
I’m sorry to report that after putting the Agent we were receiving several reports of false positives. We’re going to check the logs and the agent logic as well to understand what’s causing it.
Prayag,
Thanks. False positives may occur if the sender and the recipients are the same. The only legitimate – though quite strange – case is if users are sending emails to themselves *and* these emails get routed to SMTP. Now if that’s the case, there is no way you can use this agent.
Anyway, just wanted to add that the agent is OK. In the agent definition, the path to the script contained whitespace, but was not enclosed in double quotes. This caused cscript to interpret the script file spec as multiple parameters -> script was not found -> cscript returned exit code 1 -> exit code 1 from the script indicates spam -> ORF blacklisted the emails.
So if there are spaces in the path name where you put your script file, make sure to specify it as “C:\My Folder\selfspam.js”, instead of just C:\My Folder\selfspam.js.
the script works fine but i get if sender and recipient are same exit code 0.
If the are different i get exit code 1 .
Any idea ?
regards rene
Rene, that is actually the expected behaviour, 0 for no hit, 1 for hit.