John Rudd wrote .. > Dimitri Yioulos wrote: > > First, I wish all a very happy and healthy New Year. > > > > I hope this is the proper place to ask this: several days ago, I upgraded > to > > Botnet-0.7 from 0.6; the latter had apparently been working fine with > the > > installed SA 3.1.7. I installed as per instruction (no heavy lifting > there). > > Now, no Botnet rules are ever hit, even though I suspect that some particular > > spam has been sent via a bot. If I reinstall 0.6, I get rule hits. > What > > have I not done/done wrong? > > > > Thanks. > > > > Dimitri > > > > Do you get much output if you take one of the messages and do this > (assuming you're on some form of unix): > > > spamassassin -D < $message_file | grep -i botnet
Yes (well, I'm not sure, but it appears that the output is all of the lint of the message. Also, I'm not sure the message I linted was sent by a bot.). Here are some snippets that might be useful: ~ [24059] dbg: plugin: fixed relative path: /etc/mail/spamassassin/Botnet.pm [24059] dbg: plugin: loading Mail::SpamAssassin::Plugin::Botnet from /etc/mail/spamassassin/Botnet.pm [24059] dbg: Botnet: version 0.7 [24059] dbg: plugin: registered Mail::SpamAssassin::Plugin::Botnet=HASH(0xad27a38) [24059] dbg: plugin: Mail::SpamAssassin::Plugin::Botnet=HASH(0xad27a38) implements 'parse_config' [24059] dbg: Botnet: setting botnet_pass_auth to 0 [24059] dbg: Botnet: setting botnet_pass_trusted to public [24059] dbg: Botnet: adding ^127\.0\.0\.1$ to botnet_skip_ip [24059] dbg: Botnet: adding ^10\..*$ to botnet_skip_ip [24059] dbg: Botnet: adding ^172\.1[6789]\..*$ to botnet_skip_ip [24059] dbg: Botnet: adding ^172\.2[0-9]\..*$ to botnet_skip_ip [24059] dbg: Botnet: adding ^172\.3[01]\..*$ to botnet_skip_ip [24059] dbg: Botnet: adding ^192\.168\..*$ to botnet_skip_ip [24059] dbg: Botnet: adding ^128\.223\.98\.16$ to botnet_pass_ip [24059] dbg: Botnet: adding (\.|\A)amazon\.com$ to botnet_pass_domains [24059] dbg: Botnet: adding (\.|\A)apple\.com$ to botnet_pass_domains [24059] dbg: Botnet: adding (\.|\A)ebay\.com$ to botnet_pass_domains [24059] dbg: Botnet: adding (\b|\d)(a|s|d(yn)?)?dsl(\b|\d) to botnet_clientwords [24059] dbg: Botnet: adding (\b|\d)cable(\b|\d) to botnet_clientwords [24059] dbg: Botnet: adding (\b|\d)catv(\b|\d) to botnet_clientwords [24059] dbg: Botnet: adding (\b|\d)ddns(\b|\d) to botnet_clientwords [24059] dbg: Botnet: adding (\b|\d)dhcp(\b|\d) to botnet_clientwords [24059] dbg: Botnet: adding (\b|\d)dial(-?up)?(\b|\d) to botnet_clientwords ~ [24340] dbg: rules: ran header rule __BOTNET_NOTRUST ======> got hit: "negative match" ~ [24340] dbg: check: tests=ADVANCE_FEE_1,BAYES_99,FM_NO_FROM_OR_TO,FM_NO_TO, HTML_MESSAGE,KAM_BLANK01,MISSING_SUBJECT,NA_DOLLARS,NO_RECEIVED, NO_RELAYS,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK, TO_CC_NONE,URIBL_AB_SURBL,URIBL_BLACK,URIBL_JP_SURBL,URIBL_OB_SURBL, URIBL_SBL,URIBL_SC_SURBL,URIBL_WS_SURBL [24340] dbg: check: subtests=__BOTNET_NOTRUST,__CD,__CT,__ENV_AND_HDR_FROM_MATCH,__FB_NATIONAL, __FB_S_PRICE,__FM_LARGE_MONEY,__FM_MY_PRICE,__FRAUD_DBI,__FRAUD_LTX, __FR_HTML_HAS_AHREF,__F_LARGE_MONEY_2,__HTML_LENGTH_1536_2048, __KAM_NUMBER2,__LOCAL_PP_NONPPURL,__MIME_ATTACHMENT,__MIME_HTML,__MIME_QP, __NONEMPTY_BODY,__SARE_BODY_BLNK_5_100,__SARE_LOTTO_LOTTERY, __SARE_META_MURTY3,__SARE_URI_ANY,__TAG_EXISTS_BODY,__TAG_EXISTS_HEAD, __TAG_EXISTS_HTML,__TAG_EXISTS_META,__UNUSABLE_MSGID Am I just not really seeing as much mail from bots as I think I am? Thanks for the help. Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
