How can I implement a simple WHOIS proxy in Perl? - perl

I have several WHOIS servers for which I want to have a single proxy. The proxy should forward requests to appropriate servers based on the data in the query. How to approach this problem?

Step 1 read the RFC for WHOIS
Step 2 implement a mock server with Net::Server
Step 3 implement the proxy using your mock server and Net::Whois::Proxy or some other WHOIS module
A quick scan of the RFC seems to say that it is just a simple text based protocol that expects one CRLF terminated line and then sends a blob of CRLF terminate lines and closes the socket.
Yep, it really looks that simple, given this code
#!/usr/bin/perl
{
package Whois;
use strict;
use warnings;
use parent 'Net::Server';
sub process_request {
my $request = <>;
print "you sent me $request";
}
}
Whois->run;
you can say
whois -h localhost -p 20203 foo.com
and get back
you sent me foo.com
Given the "high-load" tag, you will probably want to switch over to Net::Server::PreForkSimple personality when you are done with testing.
And just because I was bored:
#!/usr/bin/perl
package Whois {
use strict;
use warnings;
use parent 'Net::Server::PreFork';
use Net::Whois::Raw;
my %handler = (
org => "whois.publicinterestregistry.net",
);
sub process_request {
(my $request = <>) =~ s/[.]([^.]+)\x{0d}\x{0a}/.$1/;
print exists $handler{$1} ?
whois $request, $handler{$1} :
"I don't know where to look for $request\r\n";
}
}
Whois->run(
user => "nobody",
group => "nobody",
port => 43,
min_servers => 1, #min number of children
max_servers => 10, #max number of children
min_spare_servers => 1, #fork if we don't have this many waiting
max_spare_servers => 5, #kill if we have this many waiting
max_requests => 10_000, #num of requests before killing a child
);
which when I run
sudo perl whois.pl
and then
whois -h localhost foo.org
gives us
NOTICE: Access to .ORG WHOIS information is provided to assist persons in
determining the contents of a domain name registration record in the Public Interest Registry
registry database. The data in this record is provided by Public Interest Registry
for informational purposes only, and Public Interest Registry does not guarantee its
accuracy. This service is intended only for query-based access. You agree
that you will use this data only for lawful purposes and that, under no
circumstances will you use this data to: (a) allow, enable, or otherwise
support the transmission by e-mail, telephone, or facsimile of mass
unsolicited, commercial advertising or solicitations to entities other than
the data recipient's own existing customers; or (b) enable high volume,
automated, electronic processes that send queries or data to the systems of
Registry Operator or any ICANN-Accredited Registrar, except as reasonably
necessary to register domain names or modify existing registrations. All
rights reserved. Public Interest Registry reserves the right to modify these terms at any
time. By submitting this query, you agree to abide by this policy.
Domain ID:D1608104-LROR
Domain Name:FOO.ORG
Created On:10-Jan-1995 05:00:00 UTC
Last Updated On:07-Mar-2011 00:26:43 UTC
Expiration Date:09-Jan-2012 05:00:00 UTC
Sponsoring Registrar:Fabulous.com Pty Ltd. (R133-LROR)
Status:CLIENT DELETE PROHIBITED
Status:CLIENT TRANSFER PROHIBITED
Registrant ID:fabwpp-000700385
Registrant Name:Domain Hostmaster, CustomerID : 85519846801225
Registrant Organization:Whois Privacy Services Pty Ltd
Registrant Street1:PO Box 923
Registrant Street2:
Registrant Street3:
Registrant City:Fortitude Valley
Registrant State/Province:QLD
Registrant Postal Code:4006
Registrant Country:AU
Registrant Phone:+61.730070090
Registrant Phone Ext.:
Registrant FAX:+61.730070091
Registrant FAX Ext.:
Registrant Email:85519846801225-959797#whoisprivacyservices.com.au
Admin ID:fabwpp-000700385
Admin Name:Domain Hostmaster, CustomerID : 85519846801225
Admin Organization:Whois Privacy Services Pty Ltd
Admin Street1:PO Box 923
Admin Street2:
Admin Street3:
Admin City:Fortitude Valley
Admin State/Province:QLD
Admin Postal Code:4006
Admin Country:AU
Admin Phone:+61.730070090
Admin Phone Ext.:
Admin FAX:+61.730070091
Admin FAX Ext.:
Admin Email:85519846801225-959797#whoisprivacyservices.com.au
Tech ID:fabwpp-000700385
Tech Name:Domain Hostmaster, CustomerID : 85519846801225
Tech Organization:Whois Privacy Services Pty Ltd
Tech Street1:PO Box 923
Tech Street2:
Tech Street3:
Tech City:Fortitude Valley
Tech State/Province:QLD
Tech Postal Code:4006
Tech Country:AU
Tech Phone:+61.730070090
Tech Phone Ext.:
Tech FAX:+61.730070091
Tech FAX Ext.:
Tech Email:85519846801225-959797#whoisprivacyservices.com.au
Name Server:NS1.HITFARM.COM
Name Server:NS2.HITFARM.COM
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
DNSSEC:Unsigned
whois.publicinterestregistry.net

I'm no expert on whois, but Net::Whois::Proxy would seem to be what you want.

Related

DMARC Failure only for linkedin

I just setup our domain a couple weeks ago to use SPF and DMARC, but no DKIM atm. But every now an then I receive an DMARC Failure report from linkedin:
This is an email abuse report for an email message received from IP 213.160.4.146 on Tue, 16 Jul 2019 12:34:26 +0000.
The message below did not meet the sending domain's dmarc policy.
The message below could have been accepted or rejected depending on policy.
For more information about this format please see http://tools.ietf.org/html/rfc6591 .
Feedback-Type: auth-failure
User-Agent: Lua/1.0
Version: 1.0
Original-Mail-From:
Original-Rcpt-To: messages-noreply#linkedin.com
Arrival-Date: Tue, 16 Jul 2019 12:34:26 +0000
Message-ID: <5cd…8b2f#SR-EXC.biv.local>
Authentication-Results: dmarc=fail (p=none; dis=none) header.from=biv-ot.org
Source-IP: 213.160.4.146
Delivery-Result: delivered
Auth-Failure: dmarc
Reported-Domain: biv-ot.org
But I can't detect any error - the IP address and domain match our MX record which is included in the SPF entry. Also the referenced RFC 6591 doesn't include the auth faile "dmarc". I get this mail round about once a week and no other server send me ever an DKIM failure report. Any idea whats wrong?
DNS Entries:
biv-ot.org:
MX: mail.biv-ot.org
A: 148.251.171.224
SPF: v=spf1 a mx include:ot-live.zms.hosting a:mout.kundenserver.de ~all
DMARC: v=DMARC1; p=none; ruf=mailto:…; fo=s
mail.biv-ot.org:
A: 213.160.4.146
This behavior is often witnessed with automated responses, such as NDRs and Out of Office replies, from mail servers as described in the Simple Mail Transfer Protocol (SMTP) RFC, section 4.5.5
In these cases the smtp.mailfrom field is empty and in most SPF implementations the check falls back to checking the HELO identity (recommended), as described in the SPF RFC, section 2.4.
Even if you create an SPF record for the HELO identity, you may still fail DMARC (on SPF) because of misalignment, if the HELO identity does not share the organizational domain of Header.From address.
In your specific case, the HELO identity would be assumed as postmaster#firewall.biv-ot.org and the reported domain (Header.From) is set to: biv-ot.org. This means that publishing an SPF record for firewall.biv-ot.org would solve your issue.
Also note: You only publish a ruf= address in your DMARC policy. Almost no mailbox providers send forensic/failure reports, so it is not wise to rely on only these reports to judge whether or not your email authentication practices are in a good state.
These blogs by Dmarcian and Valimail outline why these forensic / failure reports are so scarce.

Is there a legitimate reason Amazon probes /admin

From my raw server logs, I found these:
52.42.136.103 02/Aug/2016:17:58:12 GET /administrator/
54.234.186.225 03/Aug/2016:16:48:55 GET /administrator/
54.149.57.2 04/Aug/2016:18:40:55 GET /administrator/
52.40.119.32 06/Aug/2016:09:34:37 GET /administrator/
52.40.119.32 08/Aug/2016:06:02:45 GET /administrator/
The ip's all belong to Amazon Technologies (and I don't have an /admin directory).
I'm used to seeing that kind of random probe thing (/wp-admin, /wp-blog/, /dir, ... ) from Russia and Vietnam and so on, and I've always assumed there was some nefarious motive behind it. Is there? Why would Amazon be doing that? Is Jeff Bezos out of control?
Amazon itself is not crawling your site but more likely to be some of their EC2 users (i.e. rented servers on the cloud). See below for email address to contact Amazon if you think their users are doing something illegal or abusive
whois 52.40.119.32
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/public/whoisinaccuracy/index.xhtml
#
#
# The following results may also be obtained via:
# https://whois.arin.net/rest/nets;q=52.40.119.32?showDetails=true&showARIN=false&showNonArinTopLevelNet=false&ext=netref2
#
NetRange: 52.32.0.0 - 52.63.255.255
CIDR: 52.32.0.0/11
NetName: AT-88-Z
NetHandle: NET-52-32-0-0-1
Parent: NET52 (NET-52-0-0-0-0)
NetType: Direct Allocation
OriginAS:
Organization: Amazon Technologies Inc. (AT-88-Z)
RegDate: 2015-09-02
Updated: 2015-09-02
Ref: https://whois.arin.net/rest/net/NET-52-32-0-0-1
OrgName: Amazon Technologies Inc.
OrgId: AT-88-Z
Address: 410 Terry Ave N.
City: Seattle
StateProv: WA
PostalCode: 98109
Country: US
RegDate: 2011-12-08
Updated: 2014-10-20
Comment: All abuse reports MUST include:
Comment: * src IP
Comment: * dest IP (your IP)
Comment: * dest port
Comment: * Accurate date/timestamp and timezone of activity
Comment: * Intensity/frequency (short log extracts)
Comment: * Your contact details (phone and email) Without these we will be unable to identify the correct owner of the IP address at that point in time.
Ref: https://whois.arin.net/rest/org/AT-88-Z
OrgTechHandle: ANO24-ARIN
OrgTechName: Amazon EC2 Network Operations
OrgTechPhone: +1-206-266-4064
OrgTechEmail: amzn-noc-contact#amazon.com
OrgTechRef: https://whois.arin.net/rest/poc/ANO24-ARIN
OrgAbuseHandle: AEA8-ARIN
OrgAbuseName: Amazon EC2 Abuse
OrgAbusePhone: +1-206-266-4064
OrgAbuseEmail: abuse#amazonaws.com
OrgAbuseRef: https://whois.arin.net/rest/poc/AEA8-ARIN
OrgNOCHandle: AANO1-ARIN
OrgNOCName: Amazon AWS Network Operations
OrgNOCPhone: +1-206-266-4064
OrgNOCEmail: amzn-noc-contact#amazon.com
OrgNOCRef: https://whois.arin.net/rest/poc/AANO1-ARIN

whois TCP socket connection fails for one server

I'm writing a short script to query domain names from their respective whois servers - while in most cases, while the TCP connection via port 43 seems to be working for most whois servers, the queries to whois.markmonitor.com seems to be failing with an odd error that says Invalid query.
Here's the barebones of what I'm using:
#!/usr/bin/perl
#whois.pl
use strict;
use IO::Socket;
my $domain_name = "google.com";
my $query_socket = new IO::Socket::INET(
PeerAddr => 'whois.iana.org',
PeerPort => 43,
Proto => 'tcp');
print $query_socket "$domain_name ";
print $query_socket "\n\r";
while(my $this_line = <$query_socket>) {
print $this_line;
}
close($query_socket);
As seen above, the whois server used is whois.iana.org; this also works as expected with whois.internic.net as well. Only in the case of whois.markmonitor.com, the following error is seen:
$ perl whois.pl
Invalid query
Could someone help shed more light on how can I perhaps get a more verbose output to check if there are any errors in the query that is being made to the server?
As an added test, a normal connection via telnet seems to be working as expected as seen below:
$ telnet whois.markmonitor.com 43
Trying 64.124.14.21...
Connected to whois.markmonitor.com.
Escape character is '^]'.
google.com
Domain Name: google.com
Registry Domain ID: 2138514_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.markmonitor.com
Registrar URL: http://www.markmonitor.com
Updated Date: 2015-06-12T10:38:52-0700
Creation Date: 1997-09-15T00:00:00-0700
......<output truncated>......
which leads me to believe that the actual connections to the server via port 43 are being accepted on the server's side.
As artistoex notes - it's because there's a space in your domain name.
Change your print line to:
print {$query_socket} "$domain_name\n";
(Note - the curly braces are for style reasons and can be omitted - I prefer them to make clear this is a file handle)
Per RFC3912 the client is expected to communicate like that in whois protocol: "All requests are terminated with ASCII CR and then ASCII LF"
So in your code, instead of "\n\r" please use "\r\n". And remove the extra space like written in other replies.
Note however that whoisis not a well defined structured protocol: do not expect all whois servers to work in the same way nor to adhere to some kind of standards. You will find a lot of strange cases...

Sending spam mail from my postfix SMTP server

Long time user and first time poster on stack-overflow but I'm a bit stumped.
A few months ago I bought and set up a virtual machine running CentOS 6 so that I could host a few websites and a mail server for myself and a few clients. I set the entire thing up myself from the Unix knowledge I already had, including the mail server - which was at the time something I had never done before.
The mail server is working as intended, dovecot enforces IMAP logins and everything was running smoothly, until recently when I noticed one of the domains has been sending mail from un-registered users.
To give you an extract from the log at /var/log/maillog
s18646572 postfix/qmgr[3763]: 45A9520F2DF8A: from=<daisy_gibson#friendsdomain.uk>, size=1321, nrcpt=1 (queue active)
s18646572 postfix/qmgr[3763]: A98FC20F2D350: from=<regina_reeves#friendsdomain.uk>, size=1420, nrcpt=1 (queue active)
s18646572 postfix/qmgr[3763]: E45E820F2DD3A: from=<robyn_holland#friendsdomain.uk>, size=1334, nrcpt=1 (queue active)
s18646572 postfix/qmgr[3763]: AD06220F28246: from=<lorraine_murphy#friendsdomain.uk>, size=1393, nrcpt=1 (queue active)
s18646572 postfix/qmgr[3763]: DC00D1849D7CC: from=<kristine_gardner#friendsdomain.uk>, size=1401, nrcpt=1 (queue active)
s18646572 postfix/qmgr[3763]: 890EE20F28F2A: from=<mae_shaw#friendsdomain.uk>, size=1418, nrcpt=1 (queue active)
So from what I can gather somebody is using his domain "friendsdomain.uk" but also piggybacking on our SMTP server to send the mail, given that it's being deposited into our queue.
I found a tool online to help test SMTP relay and managed to configure some rules to prevent SMTP relays - at least through this tools. Users now need to be SASL authenticated in order to send mail.
However, the mail is still going out - postfix doesn't seem to be stopping the spam at all which leads me to believe that whoever is using the server is already authenticated. I've changed the passwords of all users but that doesn't seem to have halted the problem - and the logs don't indicate which user is being used to send the mail.
Extract of my postfix config below:
### SMTP Setup ###
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain = $myhostname
smtpd_recipient_restrictions = permit_sasl_authenticated, reject_unauth_destination
broken_sasl_auth_clients = yes
smtpd_sender_login_maps = hash:/etc/postfix/sender_login_maps
smtpd_relay_restrictions = permit_sasl_authenticated, reject_unauth_destination
smtpd_sender_restrictions = permit_sasl_authenticated, reject_sender_login_mismatch, reject_unauthenticated_sender_login_mismatch, reject_unlisted_sender
I added the SMTP_sender restrictions following some other answers I found on the site - which seemingly prevented the relaying at least.
I paused the SMTP server and inspected a few of the mail items in the queue, extract below.
Subject: 1 New SnapF#ck AlertN=X-PHP-Originating-Script: 48:plugin.php(1959) : eval()'d codeN$
Date: Wed, 9 Dec 2015 22:02:26 +0000N5From: Kelly Fleming <kelly_fleming#friendsdomain.uk>N#Message-ID: <64b6713d232e7a4f88e85344aac5cc9c#friendsdomain.uk>N
X-Priority: 3w
0NCX-Mailer: PHPMailer 5.2.9 (https://github.com/PHPMailer/PHPMailer/)N
The headers indicate that whoever is doing this is using a PHP mailer
SO the problem still remains, people are sending spam using my SMTP server - I need a way to either user logins for the User logins, unless an account has been compromised in which case I need a way to find out which. I can't simply suspend the accounts as the genuine users still need access to their email - however now we're receiving so many hits that the TCP sockets are preventing other services from running.
Any advice would be greatly appreciated.
Thanks.
Solved the mystery (somewhat)
The mail was coming internally from one of our hosted sites. Either the site has been configured to use the SMTP with authentication or was not required to authenticate because it was on localhost.
The clue was in the sending error logs
Dec 10 11:35:15 s18646572 postfix/pickup[6439]: 9A7BA20F29112: uid=48 from=<sally_weaver#friendomain.uk>
The user id of the sender UID=48 indicated that it was a local user, and after checking the passwd file this was confirmed to be the apache user.
It is now evident that some part of the website hosted on frienddomain.uk is being exploited to send spam, and after suspending the website and restarting services the mail ceased.
The problem now is finding and removing the exploit, however if you wish you can disable the mail() function in your php.ini file.

Amazon EC2 Email can only send to Yahoo Mail, Not Gmail

I have had a small issue with my EC2 email capabilities. While I am able to send emails from ec2 to my Yahoo Mail account, Gmail stopped receiving my EC2 emails as of 23 hours ago (ie, 23 hours ago, I could do the following and it would work.
mail("jetmail250#gmail.com", $subject, $message, $headers).
The code I use to send mail from my EC2 server is shown below. I checked all my spam box, filters, etc. in Gmail and have not seen any mail sent to my Gmail. In order to isolate the problem, I sent redirected all the messages sent from my EC2 from my Gmail to my Yahoo. And EC2 does successfully send emails to my Yahoo Mail account, with the modified code hilighted in orange below
I use this email feature on my website (www.JethroChan.com/contact.php) to allow people to use my form to send me emails directly from my website. My Gmail is the sole reciever of these emails from my Website's contact form.
<?php
//send email
$subject = $_REQUEST['subject'] ;
$headers = $_REQUEST['headers'] ;
$message = $_REQUEST['message'] ;
mail("jetmail250#yahoo.com (this was #gmail.com to a Valid Gmail account earlier)", $subject, $message, $headers);
//echo "Email Sent!";
?>
Please help me see why only Yahoo, and Not Google is capable of receiving my EC2 emails as of today :D
Generally speaking, its not recommended that you sent email directly from an ec2 instance. They have been used and and abused by spammers since day one, and many many email ISPs have taken the drastic step of blacklisting the entire range IP's used by EC2 from receiving email, just assuming it is all spam.
Much better to use amazon SES, which will cost next to nothing and is very simple drop-in replacement for your SMTP. It needs to be setup/verified, but after that it is pretty seamless. For what you are doing, it will probably cost you less than 10 cents a month.
http://aws.amazon.com/ses/
In order to maintain the quality of EC2 addresses for sending email, we enforce default limits on the amount of email that can be sent from EC2 accounts. If you wish to send larger amounts of email from EC2, you can apply to have these limits removed from your account by filling out this form
You can test mail connectivity with a simple telnet application :
find the address of the GMAIL mail relay
```
$ dig gmail.com
; <<>> DiG 9.8.3-P1 <<>> gmail.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16340
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 4, ADDITIONAL: 4
;; QUESTION SECTION:
;gmail.com. IN A
;; ANSWER SECTION:
gmail.com. 300 IN A 173.194.65.83
gmail.com. 300 IN A 173.194.65.17
gmail.com. 300 IN A 173.194.65.18
gmail.com. 300 IN A 173.194.65.19
;; AUTHORITY SECTION:
gmail.com. 108850 IN NS ns1.google.com.
gmail.com. 108850 IN NS ns2.google.com.
gmail.com. 108850 IN NS ns4.google.com.
gmail.com. 108850 IN NS ns3.google.com.
;; ADDITIONAL SECTION:
ns1.google.com. 24566 IN A 216.239.32.10
ns2.google.com. 173323 IN A 216.239.34.10
ns3.google.com. 173323 IN A 216.239.36.10
ns4.google.com. 173323 IN A 216.239.38.10
;; Query time: 46 msec
;; SERVER: 77.241.230.245#53(77.241.230.245)
;; WHEN: Sat Mar 29 08:18:46 2014
;; MSG SIZE rcvd: 234
telnet on port 25 and issue the following sequence :
```
$ telnet 173.194.65.83 25
Trying 173.194.65.83...
Connected to ee-in-f83.1e100.net.
Escape character is '^]'.
220 waldorf.attingo.nl ESMTP Exim 4.74 (Debian) Sat, 29 Mar 2014 08:21:56 +0100
helo sst
250 waldorf.attingo.nl Hello sst [77.241.230.246]
mail from:<seb#example.com>
250 OK
rcpt to:<seb#myaddress.com>
250 Accepted
data
354 Enter message, ending with "." on a line by itself
From:Seb
To:Seb
Subject:Test
Hello SMTP
.
250 OK id=1WTnb2-0003N9-2g
quit
221 waldorf.attingo.nl closing connection
Connection closed by foreign host.
(be sure to substitute the Mail From and RcptTo: with valid email addresses)