Re: BOTNET rules question

Yves Goergen Sat, 08 Jan 2011 03:34:18 -0800

On 06.01.2011 15:13 CE(S)T, Mark Martinec wrote:
> --- Botnet.pm.ori     2007-08-06 03:53:55.000000000 +0200
> +++ Botnet.pm 2011-01-06 14:56:12.009017547 +0100
> @@ -703,4 +703,6 @@
>     my ($resolver, $query, $rr, $i, @a);
>  
> +   return 1  if defined $ip && $ip =~ /:/;  # does not handle IPv6
> +
>     if ( (defined $name) &&
>          ($name ne "") &&
> @@ -757,4 +759,5 @@
>     
>     unless ( (defined ($name)) && ($name ne "") ) { return 0; }
> +   unless ($ip =~ /^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\z/) { return 0; }
>  
>     ($a, $b, $c, $d) = split(/\./, $ip); # decimal octets


Unfortunately, this doesn't work. :-( Here's some e-mail headers:

> Received: from aut****fig.secure-gw.de ([2a0*********0:5::18] 
> helo=sec***-gw.de)
>       by dot****ard.de with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
>       (Exim 4.71)
>       (envelope-from <m...@tob******uer.de>)
>       id 1PbWu4-0004jk-Ca
>       for y...@unc******ied.de; Sat, 08 Jan 2011 12:24:12 +0100
> Received: from localhost (localhost.localdomain [127.0.0.1])
>       by sec***-gw.de (Postfix) with ESMTP id 2566F50403C
>       for <y...@unc******ied.de>; Sat,  8 Jan 2011 12:24:11 +0100 (CET)
> Received: from sec***-gw.de ([127.0.0.1])
>       by localhost (sol.sec***-gw.de [127.0.0.1]) (amavisd-new, port 10024)
>       with ESMTP id EF23kHfese7U for <y...@unc******ied.de>;
>       Sat,  8 Jan 2011 12:24:05 +0100 (CET)
> Received: from Tob******top (p57***6F2.dip.t-dialin.net [87.147.198.242])
>       by sec***-gw.de (Postfix) with ESMTP id A043A504034
>       for <y...@unc******ied.de>; Sat,  8 Jan 2011 12:24:05 +0100 (CET)
> X-Spam-Score: 3.1 (+++)
> X-Spam-Report: Content analysis details:
>  -0.0 SPF_HELO_PASS          SPF: HELO-Name entspricht dem SPF-Datensatz
>   5.0 BOTNET                 Relay might be a spambot or virusbot
>  
> [botnet0.8,ip=87.147.198.242,rdns=p57***6F2.dip.t-dialin.net,maildomain=tob******uer.de,client,ipinhostname,clientwords]
>   0.0 SPF_FAIL               SPF: Senderechner entspricht nicht SPF-Datensatz 
> (fail)
>  [SPF failed: Please see 
> http://www.openspf.org/Why?s=mfrom;id=mail%40tobias-bauer.de;ip=2a00%3Ae10%3A1000%3A5%3A%3A18;r=mond]
>  -1.9 BAYES_00               BODY: Spamwahrscheinlichkeit nach Bayes-Test: 
> 0-1%
>                              [score: 0.0000]

It seems Botnet will ignore IPv6 Addresses and then skip to the next IP
address it understands - but this will likely be the dynamic IP from
which the sender submitted his message.

-- 
Yves Goergen "LonelyPixel" <nospam.l...@unclassified.de>
Visit my web laboratory at http://beta.unclassified.de

Re: BOTNET rules question

Reply via email to