
	 SmtpRC Verson 0.9.7b
	   Spencer Hardy
	diceman@dircon.co.uk



Bugs, comments, discussion, feature requests to diceman@dircon.co.uk.



SMTP Open Relay Scanner version 0.9.7b

This is still in development as of v0.9.7b

SmtpRC allows vast subnets to be scanned for open smtp relays.
It can be configured to send mails through the smtp servers
being tested and then check to see if any relayed emails are 
recieved. It will then display all results in HTML for viewing 

It can be cron'd to run at intervals to check for new open 
relays and to see if relays have been secured.

It could be used for an ISP to keep track of customers mail
servers and to alert them if they are running an open relay.

To compile the program just unpack it into any directory and
run make. This will produce a binary smtprc that can be run 
from anywhere on the system. There is also several example
config files that contain info for testing.

The best way to run smtprc is by editing the config file
auto.conf to suit your network and run smtprc with the -j
option eg:

./smtprc -j auto.conf


It can also be run on the command line with the following.


./smtprc -c [relay check config file] -s [ip range to scan] 
-p [max number of threads to use] 
-b [email address to relay to]
-e [mailbox file of relay email address]
-y [file that contains email template]
-w [html file to print results to]
-n
-a 
-z
-m 60


eg: ./smtprc -c rcheck.conf -s 10.10.1-10.* -p 500 
-b smtprc@warg.co.uk
-e /var/mail/smtprc
-w /usr/local/apache/htdocs/results.html
-y /etc/email.tmpl
-n
-z
-a 
-m 60

You can also generate an auto.conf file with the command line
options used with the -k [path to file] option. after this you 
can then run ./smtprc -j [path to file]

You will also need to edit rcheck.conf to configure it tp run
the checks that you want. There are some example checks in the
file already.



OPTIONS:

-s [IP Range]
-i [IP List FILE]
-b [Email address]
-e [Local mail box]
-c [Relay check file]
-j [SmtpRC config file]
-k [Path to config file to generate]
-w [Output HTML file]
-f [Output TXT file]
-o [Output File, Machine readable]
-l [Connect timeout]
-r [Read timeout]
-m [time to wait to recieve relayed mail]
-y [email template]

-n
-a
-z
-v

----

The config file that is used with the -c option contains a list
of checks that are to be performed on each smtp server that is
being checked.

It consists of three columns that are in the format:

<HELO>	 <MAIL FROM>	<RCPT TO>

for example if the file contains:

x.x diceman@dircon.co.uk diceman@dircon.co.uk

Then the test carried out will be:

HELO x.x
MAIL FROM:diceman@dircon.co.uk
RCPT TO:diceman@dircon.co.uk

As long as the format is kept to then as many checks as needed
can be added to the file.

There are also additional flags that can be used in the file.
These are:

--NAME-- --DOMAIN-- --RELAY-- --HOSTNAME--


--NAME-- will be swapped out with the name part of the email 
address specified with the -b option

--DOMAIN-- will be swappwed out with the domain part of the
email address specified with the -b option.

--RELAY-- will be swapped out with the hostname of the server
being scanned

--HOSTNAME-- will be swapped out with the ip address of the 
server being scanned

--------

the -s option specifies an ip range to be scanned. '-' and '*'
can be used to delimit the range.

eg:

10.10.1-10.* would scan from 10.10.1.1 - 10.10.10.255

--------

The -p option is used to specify the maximum number of threads
to scan with. This number should be experimented with to find
maximum number that can be used.


-------

The -b option is used to specify an email address that will be
with the --NAME-- and --DOMAIN-- flags in the configfile
specified with the -c option. This should be a valid email
address that you want to relay to. This can be checked to see
if any relayed emails are recieved. if the -e option is used then
this address should be a mailboc on the local server then SmtpRC
will check the local mailbox specified with -e for any relayed 
mails.

------ 

The -e option specifies a mailbox on the local machine. When
this option is used SmtpRC will check the mailbox for relayed 
emails and display any that are recieved in the output file.

This option must correspond with the email address specified 
with the -b option and the --NAME-- and --DOMAIN-- flags used
in the config file. (Use the example file rcheck.conf).

for example I use the options -b smtprc@mydomain.com
-e /var/mail/smtprc. The program will then check the file
/var/mail/smtprc for any relayed emails.

-------

The -w option specifies the HTML file that should be used to 
print the results to.

You can also use the option -i [filename] to specify a file that 
contains a list of hostnames/IP addresses to scan.


------

The -y option can be used to specify a file that contains an email 
template that will be used to send emails through all mailservers
that are checked. An example template is included called email.tmpl

The format of the file is 

SUBJECT:Test for succept..... blah blah ENDSUBJECT
BODY:This is a test for suceep..... blah blahENDBODY

------

The -o option specifies the FILE to output the results in 
machine readable format to. Each scan is saved on a seperate line
with each value being seperated by a comma. The values are:

IP address, Domain name, Rule No, STATUS, Banner, Helo reply,
MAIL FROM: reply, RCPT TO: reply


-------


The -j option is used to specify a command config file to use.
This option can be used instead of any other command line
options.

This config file contains a list of options to configure SmtpRC
for scanning. The is an example file included called auto.conf
to use this you must first change the values for your machine.


------


The -k option is used to generate a configfile from the command
line options. the file can then be used with the -j option.

------


The -f options specifies the txt file that should be used to
print the results to.


------

If the -n option is used then all ip addresses will try to be 
resolved to domian names for scanning


------

If the -z option is used then a verbose output is displayed to
the resulting html file. It shows the complete SMTP transaction
from start to finish.


------


If the -a option is used then all results are printed to the 
output files not just the servers that failed the tests.


------


The -l option is used to specify the timeout value for connecting
to servers. The default value is 20 seconds.


------

The -r option is used to specify the timeout value for reading
from the servers that are being tested. The default value is
60 seconds.


------

Also the number of threads that works best will depend on the machine
I have been running this ok with 500 threads on a FreeBSD 4.4 
STABLE celeron 333 laptop with 128 megs of ram although my
more powerfull linux box will only allow a maximum of 255 threads 
to run together.


------
**
** If you need any help with this program, would like to make a comment
** or would like to report a bug then please email diceman@dircon.co.uk.
**





BUGS:

Im sure there are a few bugs as this is still in development, also I 
don't have a very large test network so finding bugs is quite difficult.
I would really appreciate any bug reports no matter how small.

If you would like to report a bug, Get help with the program,
have any new features addded or just comment on the program then 
you can reach me with diceman@dircon.co.uk. I can also be useually 


I am not a programmer this was written simply as part of a hobby 
so expect some of the code to be messy :)



Spencer Hardy
diceman@dircon.co.uk




