Self-Sending Spam 2.

My previous article outlined two solutions against the recent spam breakout: blacklisting your own domain and using SPF. This article will introduce a third one: an External Agent for ORF. If you are not interested in the mechanics of a simple External Agent, here is a direct link for the package download (then follow instructions of readme.txt). If you stay with me, I will show you how you can extend ORF by scripts.

External Agents are command-line programs that ORF starts with a few parameters, waits for them to finish and takes action based on the program exit code (a.k.a. “ERRORLEVEL” from the DOS times). Otherwise there is nothing special about them, so agents can be written in any programming language, from C++ to PHP. Thus, with the help of the Windows Scripting Host (WSH, shipped with Windows), you can make use of your existing VBScript or JavaScript knowledge for extending ORF.

The agent we need is not particularly algorithm-heavy, all we need is to compare the sender address to the recipient address. If they match, we have self-sending spam. If they don’t, it’s not self-sending spam.
ORF can pass the addresses as command-line parameters, wait for the script and assuming exit code 1 means a hit, blacklist the email on exit code 1.

So let’s see how our script looks like in VBScript:

exitCode = 0 ‘ exit code 0 means no error, no hit

If WScript.Arguments.length = 2 Then
  ‘ get sender and recipient list parameters
  strSender = WScript.Arguments(0)
  strRecipientList = WScript.Arguments(1)

  ‘ compare sender to the recipient list – if they match, we have a hit
  If StrComp(strSender, strRecipientList, vbTextCompare) = 0 Then
    WScript.Echo “Sender and recipient addresses are the same.”
  exitCode = 1 ‘ exit code 1 means hit
  Else
    WScript.Echo “Sender and recipient addresses are different.”
  End If
Else
  ‘ we got less or more than two parameters
  WScript.Echo “Invalid number of parameters.”
  exitCode = 255 ‘ exit code 255 means error
End If

‘ set exit code
WScript.Quit exitCode

Same stuff in JavaScript:

var exitCode = 0; // exit code 0 means no error, no hit

if (WScript.Arguments.length == 2)
{
  // get sender + recipient list parameters and convert them to
  // lowercase for case-insensitive comparison
  var strSender = new String(WScript.Arguments(0)).toLowerCase();
  var strRecipientList = new String(WScript.Arguments(1)).toLowerCase();
  
  // compare sender to the recipient list – if they match, we have a hit
  if (strSender == strRecipientList)
  {
    WScript.Echo(“Sender and recipient addresses are the same.”);
    exitCode = 1; // exit code 1 means hit
  }
  else
  {
    WScript.Echo(‘Sender and recipient addresses are different.’);
  }
}
else
{
  // we got less or more than two parameters
  WScript.Echo(“Invalid number of parameters.”);
  exitCode = 255; // exit code 255 means error
}

// set exit code
WScript.Quit(exitCode);

We can invoke these scripts using “cscript” (part of WSH) as

cscript /nologo selfspam.js sender@example.org recipient@example.org

When testing from command-line, “echo %ERRORLEVEL%” will tell the (last) exit code.

To turn this whole thing into an External Agent, we create a new agent definition. On the Run tab, point the Agent Executable field to C:\Windows\System32\cscript.exe (make sure the file is there) and in the Parameters box enter

/nologo C:\MyFirstAgent\selfspam.js {SENDER} {RECIPIENTS}

On the exit codes tab, add a new action for exit code 1.

And that’s all, we have a working External Agent.

8 thoughts on “Self-Sending Spam 2.

  1. Pingback: Vamsoft Insider » Self-Sending Spam

  2. Pingback: Self-Sending Spam 2. | The Black Ball

  3. Prayag

    Hi Peter,

    Thanks a lot. I really appreciate you taking time to post this agent.

    Wish you and the team a Hapy New Year.

    Best regards.

  4. Prayag

    I’m sorry to report that after putting the Agent we were receiving several reports of false positives. We’re going to check the logs and the agent logic as well to understand what’s causing it.

  5. Peter Post author

    Prayag,

    Thanks. False positives may occur if the sender and the recipients are the same. The only legitimate – though quite strange – case is if users are sending emails to themselves *and* these emails get routed to SMTP. Now if that’s the case, there is no way you can use this agent.

  6. Peter Post author

    Anyway, just wanted to add that the agent is OK. In the agent definition, the path to the script contained whitespace, but was not enclosed in double quotes. This caused cscript to interpret the script file spec as multiple parameters -> script was not found -> cscript returned exit code 1 -> exit code 1 from the script indicates spam -> ORF blacklisted the emails.

    So if there are spaces in the path name where you put your script file, make sure to specify it as “C:\My Folder\selfspam.js”, instead of just C:\My Folder\selfspam.js.

  7. rene

    the script works fine but i get if sender and recipient are same exit code 0.
    If the are different i get exit code 1 .
    Any idea ?

    regards rene

Leave a Reply

Your email address will not be published. Required fields are marked *

AlphaOmega Captcha Classica  –  Enter Security Code