For your consideration. a script pieced together at your suggestion to get IPv4 addresses from SPF records, recursively.
#!/usr/bin/perl -- # GetDomainIPSfromSPF v0.1 # Output all IP4 addresses, one per line, from a hostname's SPF record(s) # does NOT consider PTR records # Copyright (C) 2015 Ken Post under the terms of GPL v3 # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 3 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License (http://www.gnu.org/licenses/) for more details. use strict; use warnings; use Mail::SPF::Query; # get initial hostname from the commandline my $hostname=shift @ARGV; RecurseSPF($hostname); sub RecurseSPF { my ($hostname) = @_ ; # get SPF record for the hostname. Using Mail::SPF::Query out of convenience, # bogus IP and helo sent my $query = eval { new Mail::SPF::Query ( ip => '1.1.1.1', sender => 'someone@' . $hostname, helo => 'helo' )}; # spf_record gets populated with the SPF record my ($result, $smtp_comment, $header_comment, $spf_record, $detail) = $query->result(); # split into an array of words based on spaces my @SplitSPFLines = split /\s+/, $spf_record; foreach (@SplitSPFLines) { # if the word starts include: or redirect: run RecurseSPF recursively again, # pulling up the SPF record for the referenced hostname if (/(include|redirect):/) { # strip off include:/redirect: s/(include|redirect)://; # run it recursively RecurseSPF($_); #if we've found and IP4 record, print that IP address (assumes validity) or range to stdout } elsif (/ip4:/) { s/ip4://; print $_."\n"; } } } I call this in the groups config file, like this: [GROUP-GOOGLE-IPS] exec:c:/perl/bin/perl.exe "c:\ASSP\GetDomainIPSfromSPF.pl" google.com Seems to work. I'm interested in feedback. Feel free to use it however you see fit. Hope this helps someone. On Mon, May 4, 2015 at 11:58 AM, K Post <nntp.p...@gmail.com> wrote: > > So a helo matching say *.aol.com would also also stop a helo from from > getting a bonus because it matches a known good helo? If so, GREAT, I was > being thrown off by the name of the option then. > > noHelo is great, but that requires knowing the IP's. Your our script idea > would work there. > > On Mon, May 4, 2015 at 2:37 AM, Thomas Eckardt <thomas.ecka...@thockar.com > > wrote: > >> heloBlacklistIgnore >> noHelo >> >> will skip the check >> >> Thomas >> >> >> >> >> Von: K Post <nntp.p...@gmail.com> >> An: ASSP development mailing list <assp-test@lists.sourceforge.net> >> Datum: 03.05.2015 22:09 >> Betreff: Re: [Assp-test] Do NOT ever add aol, gmail, hotmail, etc >> to Known Good Helos? >> >> >> >> The system script idea is a good one! I might have to look more into >> that. >> >> Shouldn't there be a relatively simply way to modify ASSP though so that >> when it does a helo check, if that if the helo matches a regex (in a list >> from the ASSP config) the HeloIsGood_Run sub won't change the score >> (essentially ignoring it). >> >> Same concept for wherever in the code the IP score is considered / >> calculated? >> >> On Sun, May 3, 2015 at 3:39 AM, Thomas Eckardt >> <thomas.ecka...@thockar.com> >> wrote: >> >> > >Is there a way to prohibit major carriers like >> > >> > There is no other way - you have to know the IP's or hostnames (try to >> get >> > them from the SPF record) and to define them in 'noHelo'. >> > >> > >Similarly, is there a way with ASSP to just tell it to ignore IP >> scoring >> > for addresses that reverse to a regex list of domain names? >> > >> > Use the 'Groups' feature to do this. >> > >> > For example: define a group [aol_ips], define to run a system script >> that >> > collects and returns all IP's and or hostnames you need. >> > Use the group in any feature you need it. >> > >> > Thomas >> > >> > >> > >> > >> > >> > Von: K Post <nntp.p...@gmail.com> >> > An: ASSP development mailing list <assp-test@lists.sourceforge.net> >> > Datum: 02.05.2015 08:19 >> > Betreff: [Assp-test] Do NOT ever add aol, gmail, hotmail, etc to >> > Known Good Helos? >> > >> > >> > >> > Is there a way to prohibit major carriers like the telcos, aol, gmail, >> > yahoo, and hotmail from having their helos be added to the known good >> helo >> > list? >> > >> > I don't want to negatively score these messages, there's tons of legit >> > emails - more than bad, but having the helo be marked as good is having >> > too >> > many spams come through. >> > >> > I know that I can change the valance, but it's set (seemingly) just >> right >> > for other non-major carriers. >> > >> > Similarly, is there a way with ASSP to just tell it to ignore IP scoring >> > for addresses that reverse to a regex list of domain names? For >> example, >> > anything that reverses to aol.com, don't score the IP address at all. >> > I know I can theoretically find all IP's that AOL uses, but that's a >> very >> > manual process. I could probably do a bomb regex, but that would be a >> > negative value for known domains - the problem there is that I wouldn't >> > know if it already has a good score due to IP or not. just don't see an >> > option with ASSP - hoping I'm just missing it. >> > >> > >> >> ------------------------------------------------------------------------------ >> > One dashboard for servers and applications across Physical-Virtual-Cloud >> > Widest out-of-the-box monitoring support with 50+ applications >> > Performance metrics, stats and reports that give you Actionable Insights >> > Deep dive visibility with transaction tracing using APM Insight. >> > http://ad.doubleclick.net/ddm/clk/290420510;117567292;y >> > _______________________________________________ >> > Assp-test mailing list >> > Assp-test@lists.sourceforge.net >> > https://lists.sourceforge.net/lists/listinfo/assp-test >> > >> > >> > >> > >> > >> > >> > DISCLAIMER: >> > ******************************************************* >> > This email and any files transmitted with it may be confidential, >> legally >> > privileged and protected in law and are intended solely for the use of >> the >> > >> > individual to whom it is addressed. >> > This email was multiple times scanned for viruses. There should be no >> > known virus in this email! >> > ******************************************************* >> > >> > >> > >> >> ------------------------------------------------------------------------------ >> > One dashboard for servers and applications across Physical-Virtual-Cloud >> > Widest out-of-the-box monitoring support with 50+ applications >> > Performance metrics, stats and reports that give you Actionable Insights >> > Deep dive visibility with transaction tracing using APM Insight. >> > http://ad.doubleclick.net/ddm/clk/290420510;117567292;y >> > _______________________________________________ >> > Assp-test mailing list >> > Assp-test@lists.sourceforge.net >> > https://lists.sourceforge.net/lists/listinfo/assp-test >> > >> >> ------------------------------------------------------------------------------ >> One dashboard for servers and applications across Physical-Virtual-Cloud >> Widest out-of-the-box monitoring support with 50+ applications >> Performance metrics, stats and reports that give you Actionable Insights >> Deep dive visibility with transaction tracing using APM Insight. >> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y >> _______________________________________________ >> Assp-test mailing list >> Assp-test@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/assp-test >> >> >> >> >> >> >> DISCLAIMER: >> ******************************************************* >> This email and any files transmitted with it may be confidential, legally >> privileged and protected in law and are intended solely for the use of the >> >> individual to whom it is addressed. >> This email was multiple times scanned for viruses. There should be no >> known virus in this email! >> ******************************************************* >> >> >> ------------------------------------------------------------------------------ >> One dashboard for servers and applications across Physical-Virtual-Cloud >> Widest out-of-the-box monitoring support with 50+ applications >> Performance metrics, stats and reports that give you Actionable Insights >> Deep dive visibility with transaction tracing using APM Insight. >> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y >> _______________________________________________ >> Assp-test mailing list >> Assp-test@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/assp-test >> > > ------------------------------------------------------------------------------ _______________________________________________ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
