John Rudd wrote:
Botnet 0.7 is up and available.
http://people.ucsc.edu/~jrudd/spamassassin/Botnet-0.7.tar
Botnet is a SpamAssassin plugin which attempts to identify hosts which
are likely to be spambot/virusbot hosts, using various DNS
fingerprints of the submitting relay.
New things in 0.7:
1) BOTNET_SOHO -- If the sender's (chosen from Envelope-From,
Return-Path, or From, in that order) mail domain (the part after the
@ sign) resolves back to the relay's IP address, or has an MX host
which resolves back to the IP address, AND the sender's mail domain
does NOT match the PTR record for the relay, then we'll assume this
is a "small office/home office" mail server. We'll exempt them from
BOTNET being triggered. (note: someone suggested that this check
also try to resolve the HELO string, I make a note in my code as to
why this is an extremely bad idea, and have a commented out block of
code there for anyone who wants to go down that path ... but, really,
don't)
2) Botnet API -- want to include the Botnet.pm module in other Perl
code? Maybe call "check_botnet" from mimedefang-filter so you can
block before a message gets to SpamAssassin? I've made an API for
it. The routines that SA calls use this API, so it's the
_exact_same_ code. There's now an included perl program "Botnet.pl"
which takes an IP address CLI argument, and an optional main-domain
CLI argument. It will tell you which rules do and don't get
triggered. It also serves as an example of using the API. (you will
still need to have SpamAssassin installed in order to use Botnet.pm
in this fashion, even if you're using the API in a program that
doesn't call SA)
The file Botnet.api.txt also describes the API somewhat.
3) BOTNET_CLIENT and BOTNET are now actual rules instead of meta
rules. The individual rules are still there, just with zero'd
scores. You can now easily pick between 1 big rule (BOTNET doing
eval:botnet()), meta rules (detailed in the file
Botnet.variations.txt), or piece-meal calling of the individual
checks (also detailed in Botnet.variations.txt).
4) config option: botnet_pass_trusted (all|public|private|ignore)
This defaults to "public". If you have any public IP addresses in
your relays-trusted list, then Botnet wont trigger. Private means
"any private IP addresses", where that includes 127.*, 10.*, etc..
All means either of those two. Ignore means "do what Botnet used to
do: not even look at the trusted relays, just look past them". The
idea is: if you got this from a trusted relay, we can assume it
wasn't a Botnet.
5) botnet_pass_auth now looks at the trusted relays. It probably
should have been doing that all along. It no longer looks at the
untrusted relays.
6) Rules that get triggered now use $permsgstatus->test_log to record
information. The individual rules just list
"[rulename,ip=$ip,hostname=$host,maildomain=$domain]" or an
appropriate subset of that based on which rule it is. BOTNET_CLIENT
and BOTNET also include a list of sub-rule names that were
triggered. So, you might see this:
[botnet0.7,ip=1.2.3.4,host=dsl-1-2-3-4.isp.net,maildomain=spammer.com,baddns,ipinhostname,clientwords,client]
or
[botnet_nordns,ip=2.3.4.5]
or
[botnet_soho,ip=3.4.5.6,hostname=3.4.5.6.isp.net,maildomain=non-spammer-soho.org]
7) shawcable.net and ocn.ne.jp seem to also be botnet sources, but
their hostnames don't fit any of my other patterns. Luckily, they DO
fit some pattern, and it's simple enough to not need a code based
rule, just a regular conventional expression based rule. I've
created BOTNET_SHAWCABLE and BOTNET_OCNNEJP rules to cover these two.
8) The file Botnet.variations.txt exists now with different suggested
alternative ways to do Botnet rules.
9) Botnet.credits.txt exists
10) There's now a $VERSION variable within Botnet.pm. You'll see its
value in the test_log() output for check_botnet (you can see it in the
example above), and in the SpamAssassin debug output ("spamassassin
-D") as the module is loaded and instantiated ("new" is called).
I think that's everything...
It seems to have an issue with mail sent through forwarders like alumni
accounts and one mail type systems. I am sending you a note off line
with the details.
Tom
