Bash script to send SMTP email

UPDATE: at bottom (1.30.14)

So I’ve transitioned to a new position in San Diego where I’m more support/administration vs. incident handling/intrusion detection, and one of things I’ve recently and in the past have wanted was some sort of way to confirm the SMTP gateway’s for the company your working at are up and processing email from the internet.  Now of course you can telnet to port 25 manually but that’s a pain and the call that “your stuff is down” could come at anytime 24/7.  I’ve googled for a script like this many times over the years but never saw something that would do exactly what I wanted.  In the world of IT getting frustrated enough over and over is usually the only thing that motivates you to get off your azz and script up something yourself.

So I decided to put together a bash script that would send an email with telnet to me through each of the SMTP relays separately.  Also I wanted something I could simply launch from a Putty session to a free RedHat Amazon AWS instance anywhere I was w/o worrying about VPN’ing into work to troubleshoot, this would test the inbound internet connectivity part as well.  I added an if/then statement to allow me the option to include an email address on the command line of the person complaining my gear isn’t working.  So if the x number emails that pop into their inbox with date/time stamp equals the x number of relays the company owns then my servers are up and processing mail and they need to look elsewhere for the trouble.  Script is below in a .txt form, feel free to offer suggestions or share links to your own scripts in the blog comments as this comes with the usual disclaimer of me not being a bash scripting expert and use at your own risk, etc etc.

Script with some comments within the first server’s connection


Random Tips I’ve learned

1. If you are testing/modifying this script try running it with bash -x ./ Helps troubleshoot what’s going on between script and the mail server as the SMTP conversation takes place.
2. Add “TZ=’US/Pacific’; export TZ” w/o quotes to your .bash_profile changing the timezone of your Amazon AWS instance to whatever Timezone your SMTP gateway’s are in.
3. When viewing the script use notepad++ and format the script as Language > S > Shell to better understand what’s going on.

4.  I think amazon is throttling outbound connections on port 25, as I’m having some trouble connecting to the fourth SMTP agent in my script, but I’m seeing no attempts on the FW so sounds like outbound blocks probably to combat SPAM.  So I modified the script with longer sleep times, and uploaded that here.

5. Use and buy JuiceSSH for Android!  I can now auth to the Amazon instance with pub/priv keys and launch the script to whoever is saying my stuff is down from my phone.  Very cool.


Detecting Infection Chain Redirections with custom Netwitness Flex Parser

In my ongoing battle with those who feel they should have their way with the computers I defend, I recently had an idea around detecting a common part of the infection chain.  That term, to me, is the process of exploitation often used in drive by attacks to thwart IP and domain blacklisting along with making attribution harder as the target is often bounced between several IPs/domains in different countries through dynamic DNS techniques.  This certainly makes it hard to determine what IPs/domains are links in that infection chain at any particular moment, and admittedly it is not what my toolset is best suited for.  That’s the job of the many different services who specialize in such things (ex.,, Bluecoat, etc).  My task is to try and detect the techniques and malware bad guys use to get their main task completed: run code of their choice inside my network.  Along that vein, after investigating a recent driveby landing page on a compromised site that it was easily the 3rd time I’ve seen use of an HTML page that incorporated the somewhat depreciated HTML Meta Refresh technique to move the user to the next link in the infection chain.  This made sense to me as once they are able to compromise a wordpress blog, discussion forum site, ftp brute force, etc they often get upload permissions and it is then trivial, or even scriptable to upload a .html file they have saved somewhere to redirect the user with some unsuspecting message like “Loading…”  Here is the example that triggered my thought during that investigation.  In this example a html file was uploaded to the good site at /rumyn.html, click pic to make larger.

blacole landing page

Continue reading

RSA Netwitness Investigator Regular Expressions

In the blog post below (here) I talked about my theory to detect DGAs by looking for consecutive consonants in a row within a URL.  However my SNORT rule does not work like I wanted it to.  I thought the rule would look for the HOST: portion of the HTTP header and start the regex match after colon and whitespace. When what it seems to do is trying to match the whole line as one entity including the word HOST, this causes the match to fail if there are ANY vowels in the line vs. only caring if there are x number of consonants in a row before or after a vowel.  So I figured I’d leverage another tool, RSA’s Netwitness network forensics product would work. You can download a home version of the tool here.

Netwitness investigator allows users to use RegEx to filter the packet capture data including of course web surfing.  As I understand it they use the BOOST RegEx engine as opposed to the PCRE engine I’m more familiar with. Either way, there doesn’t seem to be a lot of documentation included with the product around the needed syntax. So I recommend you try just throwing in your regex and see what happens as Investigator will do some sanity checking. Taking my own advice I entered my SNORT regex as a custom drill in the field (a helpful message from an experienced Netwitness user made me realize I shouldn’t assume readers knew I was using a custom drill for this filter).  As you will quickly learn you need to backslash escape most non alpha-numeric characters until it works.  The pic below shows the error checking where I intentionally left off the backslash escape character in front of the comma in the repetition operator {9,}


Continue reading

What do you do all day?

That’s often the question I get asked by friends and family, and to be honest it’s hard to explain to non-techies so I figured I’d pick out a recent example of a typical malware find and cleanup at work and blog about it.
So it all started in the morning when I opened the daily report I email to myself from the proxy server that flags URL requests in categories I feel are malicious and accessed during the previous 24hrs.  Once blowing past the usual false positives one stood out to me, (TLD for Greece).  The report does not give full HTTP headers just the hostname so I had to look up the same hit in the proxy’s reporting server to get the time/date/username of the HTTP request.  Then I moved to the SIEM (log manager) to get correlated logs from FWs, netflow, and the parsed raw proxy logs showing all the fields with a start and end time +/- 5 mins.
In doing so I saw obvious bad outbound traffic from the suspect host with what looked like URLs centered around webmail.  This is not surprising as webmail is a significant weak spot in many  corporations, anyway here are some of the logs I was presented with, a bit sanitized.

Continue reading

Security I want around my online banking experience…

UPDATE 3/7/12:  So hitting the banks up on twitter went no where, they didn’t even approve my comments.  I have a good disscussion going on in the “Internet Banking” group on LinkedIn if you want to join.  Next step might be a reddit post or possible emailing some of the bank CSOs directly.  Wish me luck.

5/5/12 I reached out to BofA’s CISO Patrick Gorman and was ignored. Don’t see much point in banging my head against the wall anymore.

Online banking and bill pay are two of the conveniences of the information age. I have memories of seeing my mom paying the monthly bills late at night filling out checks, opening and addressing envelopes, putting on stamps etc. She then of course had to manually balance her checkbook with a calculator. I cringe at the thought of having to spend several hours a month in such a manner, with online banking and bill pay it usually takes me 30 mins to send out the money with little or no writing or mailing. As with many conveniences, however it comes with a risk of potential abuse. Individuals certainly aren’t the only ones being victimized, especially vulnerable are small to medium-sized business who have relatively a lot of money compared to the average Joe Schomo like me and unfortunately for them they are not covered by the FDIC or the bank’s policy. Here’s a Bloomberg article from August last year that goes into several examples of theft and how the banks don’t always reimburse those companies like they do you when your CC is stolen. Bloomberg article

So without further ado here is what I humbly ask from my bank, 3 fairly quick wins that should be implemented as soon as possible. I’ll let you know if I hear anything back from them. I plan on hitting some of the bigger ones up on Twitter and LinkedIn to see if any of that social media mumbo jumbo works for me and my little blog.

Continue reading

Detecting the Bad from the Good…

UPDATE 4/3/12: I worked with Joel Elser on Snort-sigs mailing list to develop the below signature. However there’s been some concern around system resources of Regexing every GET request to the internet.  I’m thinking I might have to adjust the rule to exempt .com and .net TLDs.  Less effective I know but at least it won’t kill the sensor. This technique is probably better for offline static analysis of logs then realtime IDS.  Damballa has two good papers on their work around detecting DGA (Domain generation algos) and how they haven’t gone away now that Conficker is out of the news.  Links
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:”WEB-MISC http header with 9 or more consonants”; flow:to_server,established; content:”GET”; http_method; content:”Host: “; http_header; pcre:”/^Host:s[tnrshdlfcmgpwbvkxjyqz0-9]{9,}$/Hi”; metadata:service http; classtype:bad-unknown;)
UPDATE 10/28/12: The above sig does not match unless there are NO vowels in the host header.  Please see an updated post here
In security monitoring it’s your job to use your creativity to design rules and dashboards so you can identify evidence of malicious activity.  In general there are two strategic ways to do this, detect the bad (blacklisting) or detect the good (whitelisting).  It doesn’t take a genius to realize that whitelisting is the more effective strategy overall, although its much harder to implement.  Even so blacklisting is still useful to use for increasing defense in depth.   Speaking about getting creative to detect the bad guys, a recent thought I had is looking for one of the tactics they use to avoid being taken offline.  Namely registering and using a large number of domains so that content filtering and whitehat organizations can’t keep up.  You could see this during the Conficker worm battles, where early versions were programmed to connect to 250 domains a day, and when the Conficker Cabal launched an effort to pre-register those names later worm versions came out in direct response with algorithms for 50,000 domains per day.
The flaw I see in the “I can register more domains, faster then you can” tactic is often the make up of those domains. By their nature they frequently are a collection of puesdo random letters not valid strung together words in your language, like a normal domain.
For Example: (consonants in a row in red)

The startup that didn’t start…

So I have requested Hostgator to rm -rf my VPS for a web application I created called after about a year of building and trying to get it to catch on.  Basically I was attempting to be a middle man between consumers and vendors, adding value to both around transaction security and accuracy.  By having users fill out one or more forms on my site with various types of information about them and then picking a text string (called WalletID) that they could give out to vendor’s who I would verify out of band.  This would allow the vendors to check against my site as needed for the updated info behind the WalletID.  So it’s an extra layer of sanity check before shipping a package to an address, sending a targeted email, or perhaps a pwd change request.  All checks could be verified externally (at my site) to whatever the vendor’s transaction technique was (at their website), in case it was being abused.

Continue reading

Detecting emails spoofing your domain using Outlook Rules…

The concern over targeted emails from sophisticated attackers is only increasing after the Aurora attacks, not to mention the latest Google vs. China row, and RSA’s compromise. One technique the attacker’s use to make their targeted email more legitimate is to fake or spoof the email’s from address using the recipient’s own domain, so it is more likely to be opened. The constant message from security about the dangers of email can make opening a spoofed message cause much alarm for the average user, which of course is usually only evident after the message has been opened. Which is quickly followed by the usual questions, why am I getting this email Joe said he didn’t send it? It says I sent it! It’s not in my sent items, am I infected? Spoofing email addresses has a long history of being allowed by the SMTP protocol and many companies currently rely on that “feature” to deliver mail legitimately, think surveys, send this link to a friend, web page forms, mailing lists etc. So it’s not as simple as just blocking everything with an internal domain that comes from the Internet; because it’s not all bad. It’s also made more difficult in how SMTP works, where the MAIL FROM (aka. Smtp from, RFC2821, envelope from) is often is what is evaluated at the mail gateway/server level, but the user will just see the FROM (aka. RFC2822, message from).

Continue reading

Cybersecurity challenge and update…


So I saw an interesting link on the interwebs, it is a packet analysis challenge with promise of invitations to  summer 2011 USCC Cyber Camps training in various locations (Delaware for East Coast folks, I believe) for the winners.  I registered and hope to complete the challenge this weekend; you have 24 hrs once you get the .pcap file to answer 30 questions about evidence of intrusion in the traffic.  You can read more about it here The contest is over May 1st 2011.


UPDATE:  I did well enough to be invited to the Virginia camps in early August, with full tutition, room, and board paid.  An awesome opportunity that I’m looking forward to.

Facebook Faux pas?

So Facebook’s been in the news recently about their ever degrading privacy protections and coding screwups (EFF link and Tech Crunch link). I’m not a big fan of the service but it is a unique way to keep in touch with people you are far away from, as well as get updates on the “normal” part of their lives that don’t exactly warrant a phone call or email.  Anyway, I’ve already erased most all my personal info because I’m a paranoid.  I also check up on the privacy settings to see if I’m inadvertently leaking personal info because of my mistake or Facebook’s frequent policy changes.

I noticed an interesting feature yesterday that allows you to get an email when a computer that hasn’t been “authorized” authenticates to your account ( Click Account Button…Account Settings…Account Security). Facebook also allows you to see a log of the computers that have authenticated to your Facebook (security guys love logs) which is cool.  The log is weak on the technical side, no IP address, DNS hostname, or Useragent etc.  But it is an interesting feature that I believe banks should offer as well.

Continue reading