Main Page | Modules | Namespace List | Class Hierarchy | Class List | Directories | File List | Namespace Members | Class Members | File Members | Related Pages

Analyzer Class Reference
[Engine]

The main engine of Abuse: the e-mail headers scanner. More...

#include <Analyze.h>

List of all members.

Public Types

enum  Option { VIEWWHOIS, ABUSEDETAILS, USEONLYCACHE, NODISPLAYOUTPUT }
 some options that can be set More...
enum  Type { EMAILHEADER, IP_URL }
 Type. More...

Static Public Member Functions

static void setDnsbls (std::list< Dnsbl > lst)
 Set the DNSBL list to be used.
static void addDnsbl (const Dnsbl &to_add)
 Add a DNSBL.
static void removeDnsbl (const std::string &name)
 Remove a DNSBL.
static void analyze (const std::string &is, VirtStream &hOut, const AnalyzerFeedback *listener=NULL, Type type=EMAILHEADER)
 Start a header analysis.
static void stop ()
 Stop a running analysis.
static bool getBoolOption (Option opt)
 Get an engine option.
static void setOption (Option opt, bool newvalue)
 Set a boolean engine option.
static void setAbuseCache (AbuseAddiesCache *cache)
 Set the Abuse Address Cache.
static void setSafeAddresses (const std::list< UrlRange > &safe)
 Set a list of ranges of ip addresses as trustable.
static AbuseAddiesCachegetAbuseCache ()
 Return a pointer to the Abuse Addresses Cache.
static void getVersionStrings (std::string &versionData)
 Retrieve the engine version.
static void setThreshold (const int value)
 Set a threshold level of confidence when extracting abuse contacts.
static void getErrorCnts (error_Cnts &cnts)
 Retrieve the errors of an analysis.

Private Types

typedef std::map< Option,
bool > 
BoolOptions

Private Member Functions

 Analyzer ()
 To avoid instances of the class.

Static Private Member Functions

static void doAnalyzeIP_URL (const std::string &is, VirtStream &hOut) throw (std::exception)
static void doAnalyze (const std::string &is, VirtStream &hOut) throw (std::exception)
static Result massiveCheck (const Url &url, std::list< std::string > *names=NULL)
static void dump (VirtStream &ss, const Received &curr)
static THREADRETVALUE threadBegin (LPVOID lpv)
static int checkChain (const Received &curr, const Received &prev, VirtStream &os, int initialLevel=0)
static bool checkMX (const Received &curr, VirtStream &os)
static EmailTrust checkAbuseOnline (const Url &thisUrl, std::list< std::string > &contacts, VirtStream &os)
static EmailTrust getAbuse (ZeWhois::WhoisList &we, std::list< std::string > &emails, Url &thisUrl, VirtStream &os)
static BoolOptionsboolOptions ()
static void init ()
static bool isTrusted (const Received &rec)
static bool canBeDynamic (const Url &url, const std::string &declared_to_be)

Static Private Attributes

static const char * NOTSET = "[[NOTSET]]"
static const AnalyzerFeedbacklistener = NULL
static std::list< RefCounted<
ThreadedDnsbl > > 
dnsbls
static Event eTerminate = true
static AbuseAddiesCachem_cache = NULL
static std::list< UrlRangem_safeAddies
static int THRESHOLD = 100
static int NAMEMISMATCH = 75
static int NAMELOOKSDYNAMIC = 100
static int BLACKLISTED = 75
static int RECBYMISMATCH = 100
static int SIMILARNAMES = -75
static int SAMEDOMAINS = -75

Friends

class Win32Initializer


Detailed Description

The main engine of Abuse: the e-mail headers scanner.

Warning:
The whole class is static, so Abuse cannot handle more than an analysis per time.
It would be great if someone offered his collaboration to change this class from a static to a non-static one (so we can implement multi-threaded, parallel analysis)


Member Typedef Documentation

typedef std::map<Option,bool> Analyzer::BoolOptions [private]
 

For internal use only.

Useful typedef for engine boolean options


Member Enumeration Documentation

enum Analyzer::Option
 

some options that can be set

Enumerator:
VIEWWHOIS  Logs the whois info.
ABUSEDETAILS  Logs how the abuse addresses are extracted.
USEONLYCACHE  Use only the cache to get the abuse addresses.
NODISPLAYOUTPUT  Don't output anything.

enum Analyzer::Type
 

Type.

Todo:
Dave, please document this
Enumerator:
EMAILHEADER 
Todo:
Dave, please document this
IP_URL 
Todo:
Dave, please document this


Constructor & Destructor Documentation

Analyzer::Analyzer  )  [private]
 

To avoid instances of the class.


Member Function Documentation

void Analyzer::addDnsbl const Dnsbl to_add  )  [static]
 

Add a DNSBL.

Parameters:
to_add is the DNSBL to be added
See also:
Dnsbl

void Analyzer::analyze const std::string &  is,
VirtStream hOut,
const AnalyzerFeedback listener = NULL,
Type  type = EMAILHEADER
[static]
 

Start a header analysis.

Parameters:
is is the email to be analyzed
hOut is the output stream to be used to give feedback to the client
listener is a pointer to the AnalyzerFeedback interface implementation provided by the client (see AnalyzerFeedback )
type is the type of analysis that is requested (e-mail header or ip address)

Analyzer::BoolOptions & Analyzer::boolOptions  )  [static, private]
 

For internal use only.

Return a reference to the engine bool options

static bool Analyzer::canBeDynamic const Url url,
const std::string &  declared_to_be
[static, private]
 

For internal use only.

Return true if an host is likely to be a dynamic ip

EmailTrust Analyzer::checkAbuseOnline const Url thisUrl,
std::list< std::string > &  contacts,
VirtStream os
[static, private]
 

For internal use only.

No info about this...

int Analyzer::checkChain const Received curr,
const Received prev,
VirtStream os,
int  initialLevel = 0
[static, private]
 

Check if the Received: chain is respected, i.e. if we can trust a Received line not to be faked

Parameters:
[in] curr is the Received line under analysis
[in] prev is the previous (upper) Received line
[in] os is the output stream to be used for output
[in] initialLevel is the initial level of confidence

bool Analyzer::checkMX const Received curr,
VirtStream os
[static, private]
 

For internal use only.

Check if an email addy contained in a Received line has a default MX (mail exchanger) host

void Analyzer::doAnalyze const std::string &  is,
VirtStream hOut
throw (std::exception) [static, private]
 

For internal use only.

Parameters:
[in] is is the mail to be analyzed
[in] is the stream to use for the output
Exceptions:
std::exception if something goes wrong

void Analyzer::doAnalyzeIP_URL const std::string &  is,
VirtStream hOut
throw (std::exception) [static, private]
 

For internal use only.

This function analyzes an ip address

void Analyzer::dump VirtStream ss,
const Received curr
[static, private]
 

That's what I remember

Parameters:
[in] ss is the output stream to dump on
[in] curr is the received line to be outputted

EmailTrust Analyzer::getAbuse ZeWhois::WhoisList we,
std::list< std::string > &  emails,
Url thisUrl,
VirtStream os
[static, private]
 

For internal use only.

Try to extract an abuse addresses of an host

AbuseAddiesCache * Analyzer::getAbuseCache  )  [static]
 

Return a pointer to the Abuse Addresses Cache.

Returns:
A pointer to the Abuse Addresses Cache actually used, or null if no cache is used
See also:
AbuseAddiesCache

bool Analyzer::getBoolOption Option  opt  )  [static]
 

Get an engine option.

Parameters:
opt is the option name
Returns:
the value of the option (true or false)

void Analyzer::getErrorCnts error_Cnts cnts  )  [static]
 

Retrieve the errors of an analysis.

Parameters:
[out] a struct containing the errors

void Analyzer::getVersionStrings std::string &  versionData  )  [static]
 

Retrieve the engine version.

Parameters:
[out] versionData will contain the version of the scan engine

void Analyzer::init  )  [static, private]
 

For internal use only.

Init the engine

bool Analyzer::isTrusted const Received rec  )  [static, private]
 

For internal use only.

Tell if a Received line comes from a trustable address

static Result Analyzer::massiveCheck const Url url,
std::list< std::string > *  names = NULL
[static, private]
 

For internal use only.

Parameters:
[in] the host to be tested
[out] if not null, the TEXT string contained in the DNS TXT entry for this host
Returns:
the synthetized (or'red) result of the queries

void Analyzer::removeDnsbl const std::string &  name  )  [static]
 

Remove a DNSBL.

Parameters:
name is the DNSBL to be removed
See also:
Dnsbl

void Analyzer::setAbuseCache AbuseAddiesCache cache  )  [static]
 

Set the Abuse Address Cache.

Parameters:
cache is a pointer to the new cache (or NULL to avoid using any cache)
See also:
AbuseAddiesCache

void Analyzer::setDnsbls std::list< Dnsbl lst  )  [static]
 

Set the DNSBL list to be used.

Parameters:
lst is the list of the DNSBL
See also:
Dnsbl

void Analyzer::setOption Option  opt,
bool  newvalue
[static]
 

Set a boolean engine option.

Parameters:
opt is the option to be set
newvalue is its new value

void Analyzer::setSafeAddresses const std::list< UrlRange > &  safe  )  [static]
 

Set a list of ranges of ip addresses as trustable.

This member is used to qualify some ip ranges as trustables, i.e. any e-mail headers Received: line containing one of these address as the dispatcher (from) is supposed authentic (not faked), and so it's the previous line (where the same host should appear as the receiver, "by" side of the line),

Parameters:
[in] safe is a list of ip ranges to be marked as trustable
See also:
UrlRange

void Analyzer::setThreshold const int  value  )  [static]
 

Set a threshold level of confidence when extracting abuse contacts.

Parameters:
[in] the new threshold level

void Analyzer::stop  )  [static]
 

Stop a running analysis.

THREADRETVALUE Analyzer::threadBegin LPVOID  lpv  )  [static, private]
 

Analyzer::analyze starts a new thread, with a pointer to some data concerning the analysis.
This is the entry point of the new thread, and will dispatch the data to the correct analysis function


Friends And Related Function Documentation

friend class Win32Initializer [friend]
 


Member Data Documentation

int Analyzer::BLACKLISTED = 75 [static, private]
 

For internal use only.

decrement in confidence if a mailserver is blacklisted for some reasons

std::list< RefCounted< ThreadedDnsbl > > Analyzer::dnsbls [static, private]
 

For internal use only.

list of dnsbls used, each one running in its own thread

Event Analyzer::eTerminate = true [static, private]
 

For internal use only.

Event set if the analysis is to be interrupted

const AnalyzerFeedback * Analyzer::listener = NULL [static, private]
 

For internal use only.

Pointer to the client sink interface

AbuseAddiesCache * Analyzer::m_cache = NULL [static, private]
 

For internal use only.

Pointer to the Abuse Addresses Cache

std::list< UrlRange > Analyzer::m_safeAddies [static, private]
 

For internal use only.

list of ip addresses ranges to be considered as safe (trustable)

int Analyzer::NAMELOOKSDYNAMIC = 100 [static, private]
 

For internal use only.

decrement in confidence if a mailserver's name contains its IP address

int Analyzer::NAMEMISMATCH = 75 [static, private]
 

For internal use only.

decrement in confidence if a mailserver's name is not what it declared to be

const char * Analyzer::NOTSET = "[[NOTSET]]" [static, private]
 

For internal use only.

I simply don't remember what this is used for...

int Analyzer::RECBYMISMATCH = 100 [static, private]
 

For internal use only.

decrement in confidence if there's a received from/by mismatch in two following Received lines

int Analyzer::SAMEDOMAINS = -75 [static, private]
 

For internal use only.

increment in confidence if the Received line mismatch is somehow caused by hosts having the same domain

int Analyzer::SIMILARNAMES = -75 [static, private]
 

For internal use only.

increment in confidence if the Received line mismatch is somehow caused by similar names

int Analyzer::THRESHOLD = 100 [static, private]
 

For internal use only.

Threshold level of confidence of a Received line


The documentation for this class was generated from the following files:
Generated on Thu Jun 16 00:13:15 2005 for Netlib for Abuse! by  doxygen 1.4.3