On 15/03/12 00:39, Alex wrote:
One clue: "X-Originating-IP: [41.189.207.189]"
Check the various RBL hits on that address. ;)
Are there existing plugins for this?
Is there a way to check a range to see if it's part of a known
blacklisted botnet?
Or if you don't expect to receive email from Africa then just score this
quite heavily. There are already non-scoring meta rules in place:
That's helpful, thanks. Are there RBLs that maintain a list of botnet
originating IPs, in the same way as IPs are checked by
RCVD_IN_BRBL_LASTEXT and others?
Am I right in thinking that the only time this originating IP is
useful is just before the client host that is relaying the botnet mail
is listed on an RBL, which may be the client host itself?
Thanks,
Alex
Depending on how they are configured in SA, some RBLs are only used to
check the last external IP address (i.e, the server that relays the
message to your server) whereas others will check all IPs in the chain,
including those in the Received headers as well as X-Originating-IP as
you have above. This is called deep parsing. Have a look at the stock
rules to see how it works.
Some RBLs, such as the Spamhaus PBL, are *only* designed to be checked
for the last external IP address and doing otherwise will lead to many
FPs. However, some others are useful to check against all IPs.
For example, Spamhaus XBL contains many IPs belonging to botnets.
Although I already block all mail hitting Spamhaus XBL (as part of
Spamhaus zen) that the MTA level, I still find it useful to query XBL
and SBL against all IPs, and in this case we see 41.189.207.189 is
listed in the XBL.
What it's telling you is that although the server that relayed the spam
to you is clean (yeah, no freemail servers generally get listed), this
mail originated from an infected PC or passed through an otherwise less
than clean server somewhere along it's route. To me that's certainly
worth a few points given the reputation of Spamhaus.
But be warned - play this game with the wrong DNSBL lists and it will
bite you with FPs (e.g, Spamhaus PBL as stated above). You need to
understand the type of IPs that get listed on any given list. The types
of FPs that deep parsing against SBL-XBL causes are hitting against
legitimate mail sent from Uncle Bob whose PC just happens to also be
infected and spewing spam, which is not such a bad thing as now you can
go help him clean up his PC.
Also be aware that deep parsing IP addresses against DNSBLs will create
a large increase in DNS queries against those lists as you are no longer
querying just the one last external IP but are now querying all IPs in
the chain, which could be quite a few.
