Botnet.pm had a small problem in it (I rewrote the IPINHOSTNAME check,
and forgot one of the 4 stanzas, so some hosts may have gotten past it).
I've put up a new version of the tar file with the problem fixed.
Since there weren't any other problems, I'm not incrementing the version
number or anything.
BUT: if you downloaded 0.7 before the time you got this message, you
should probably re-download it.
Sorry,
John
John Rudd wrote:
Botnet 0.7 is up and available.
http://people.ucsc.edu/~jrudd/spamassassin/Botnet-0.7.tar
Botnet is a SpamAssassin plugin which attempts to identify hosts which
are likely to be spambot/virusbot hosts, using various DNS fingerprints
of the submitting relay.
New things in 0.7:
1) BOTNET_SOHO -- If the sender's (chosen from Envelope-From,
Return-Path, or From, in that order) mail domain (the part after the @
sign) resolves back to the relay's IP address, or has an MX host which
resolves back to the IP address, AND the sender's mail domain does NOT
match the PTR record for the relay, then we'll assume this is a "small
office/home office" mail server. We'll exempt them from BOTNET being
triggered. (note: someone suggested that this check also try to
resolve the HELO string, I make a note in my code as to why this is an
extremely bad idea, and have a commented out block of code there for
anyone who wants to go down that path ... but, really, don't)
2) Botnet API -- want to include the Botnet.pm module in other Perl
code? Maybe call "check_botnet" from mimedefang-filter so you can
block before a message gets to SpamAssassin? I've made an API for
it. The routines that SA calls use this API, so it's the _exact_same_
code. There's now an included perl program "Botnet.pl" which takes an
IP address CLI argument, and an optional main-domain CLI argument. It
will tell you which rules do and don't get triggered. It also serves
as an example of using the API. (you will still need to have
SpamAssassin installed in order to use Botnet.pm in this fashion, even
if you're using the API in a program that doesn't call SA)
The file Botnet.api.txt also describes the API somewhat.
3) BOTNET_CLIENT and BOTNET are now actual rules instead of meta
rules. The individual rules are still there, just with zero'd
scores. You can now easily pick between 1 big rule (BOTNET doing
eval:botnet()), meta rules (detailed in the file
Botnet.variations.txt), or piece-meal calling of the individual checks
(also detailed in Botnet.variations.txt).
4) config option: botnet_pass_trusted (all|public|private|ignore)
This defaults to "public". If you have any public IP addresses in
your relays-trusted list, then Botnet wont trigger. Private means
"any private IP addresses", where that includes 127.*, 10.*, etc..
All means either of those two. Ignore means "do what Botnet used to
do: not even look at the trusted relays, just look past them". The
idea is: if you got this from a trusted relay, we can assume it wasn't
a Botnet.
5) botnet_pass_auth now looks at the trusted relays. It probably
should have been doing that all along. It no longer looks at the
untrusted relays.
6) Rules that get triggered now use $permsgstatus->test_log to record
information. The individual rules just list
"[rulename,ip=$ip,hostname=$host,maildomain=$domain]" or an
appropriate subset of that based on which rule it is. BOTNET_CLIENT
and BOTNET also include a list of sub-rule names that were triggered.
So, you might see this:
[botnet0.7,ip=1.2.3.4,host=dsl-1-2-3-4.isp.net,maildomain=spammer.com,baddns,ipinhostname,clientwords,client]
or
[botnet_nordns,ip=2.3.4.5]
or
[botnet_soho,ip=3.4.5.6,hostname=3.4.5.6.isp.net,maildomain=non-spammer-soho.org]
7) shawcable.net and ocn.ne.jp seem to also be botnet sources, but
their hostnames don't fit any of my other patterns. Luckily, they DO
fit some pattern, and it's simple enough to not need a code based
rule, just a regular conventional expression based rule. I've created
BOTNET_SHAWCABLE and BOTNET_OCNNEJP rules to cover these two.
8) The file Botnet.variations.txt exists now with different suggested
alternative ways to do Botnet rules.
9) Botnet.credits.txt exists
10) There's now a $VERSION variable within Botnet.pm. You'll see its
value in the test_log() output for check_botnet (you can see it in the
example above), and in the SpamAssassin debug output ("spamassassin -D")
as the module is loaded and instantiated ("new" is called).
I think that's everything...
