Re: Blocking frequent botnet pattern

Wed, 14 Mar 2012 17:40:16 -0700 

Hi,

>> Note that URL, yet another p0ned WordPress website (the
>> "/wp-content/plugins/" stuff). Now you get a hint of why I hate
>> "install-and-forget" websites.
>> When ever I run into p0ned websites their domain name goes into my
>> private URIBL list. They don't get spam past me again.
>>
>
> Here's a rule to catch that:
>
> # URIs matching http://some.domain.com/wp-content/plugins/
> uri             LOCAL_URI_WPCONTENT
> m{https?://[^/]+/wp-content/plugins/}
> describe        LOCAL_URI_WPCONTENT     Spammy URI with /wp-content/plugins/

I actually created a bunch of those already, and would appreciate if
someone would check my work:

uri         LOC_WP
m{https?://.[^/]+/(wp-content|modules/mod_wdbanners|wp-admin|wp-includes|cruise/wp-content|includes/|web/wp-content|google_recommends|mt-static)/}
describe    LOC_WP              Contains wordpress uri
score       LOC_WP              0.5

meta        LOC_WP_SHORT        (LOC_WP && LOC_SHORT)
describe    LOC_WP_SHORT        Contains wp-content and short body
score       LOC_WP_SHORT        0.6

meta        LOC_WP_SUBJ         (LOC_WP && MISSING_SUBJECT)
describe    LOC_WP_SUBJ         Contains wordpress uri and missing subject
score       LOC_WP_SUBJ         1.2

LOC_SHORT is a meta for rawbody lt 200 and contains a URI.

These appear to hit quite a bit of ham, or false-negatives; I'm not
sure. Wordpress URLs are obviously pretty frequent, but I don't think
0.5 would be too much to push ham to spam.

>> One clue: "X-Originating-IP: [41.189.207.189]"
>> Check the various RBL hits on that address. ;)

Are there existing plugins for this?

Is there a way to check a range to see if it's part of a known
blacklisted botnet?

> Or if you don't expect to receive email from Africa then just score this
> quite heavily. There are already non-scoring meta rules in place:

That's helpful, thanks. Are there RBLs that maintain a list of botnet
originating IPs, in the same way as IPs are checked by
RCVD_IN_BRBL_LASTEXT and others?

Am I right in thinking that the only time this originating IP is
useful is just before the client host that is relaying the botnet mail
is listed on an RBL, which may be the client host itself?

Thanks,
Alex

Reply via email to