[Mimedefang] Botnet 0.6 plugin for Spam Assassin availabile

John Rudd john at rudd.cc
Thu Dec 7 13:45:27 EST 2006 

(I had a bout of insomnia last night, and got more done than I had
pre-announced yesterday...)


The next version of the Botnet plugin for Spam Assassin is ready.  The
install instructions are in the Botnet.txt file, and in the INSTALL file.

For those who don't know what Botnet is, it's a plugin which tries to
identify whether or not the message has been submitted by a
botnet/spam-zombie type host by looking at its DNS characteristics (no
reverse DNS, reverse DNS that doesn't resolve, or doesn't resolve back
to the relay's IP, or reverse DNS that contains things that look like an
ISP's client address).  The places I've been using it, and the people I
hear about who are using it, have seen a high degree of success.

It can be downloaded from:

  http://people.ucsc.edu/~jrudd/spamassassin/Botnet.tar


As usual, feedback, statistics, bug reports, feature suggestions, are
all welcome.

NOTE: This will be the last version I announce outside of the SA users
mailing list.  I don't want to wear out the patience of the other list
owners.  users at spamassassin.apache.org is where I'll make all further
release announcements.


What's new in 0.6:


1) IP in Hostname bug fix (the same IP address octet could be matched
twice.. which was a problem if the octet was "1", and the hostname had a
sub-string like "101" in it)

2) pass_domains, clientwords, and serverwords weren't insensitive checks

3) typo fixed in botnet.txt

4) moved to Net::DNS (finally; and it's going to be needed for To Do
item #3)

5) perl package is now named Mail::SpamAssassin::Plugin::Botnet

6) because clientwords and serverwords are meant to be _words_, they are
now wrapped by (\b|\d) (both before and after the word/expression).
This is to help avoid false positives where a clientword might have been
a substring of a larger word that shouldn't have triggered the check
(similarly for serverwords).

7) similarly, pass_domains now have a leading (\.|\A) added to them IF
they don't already have \. or \A in front (but it will be added if the
expression starts with "." -- since this is a regular expression, that
is assumed to mean any single character, so be careful).

8) added debug output for parse_config

9) added "mta" and "relay" to serverwords (used by classmates.com and/or
reunion.com)

10) changed dsl to (a|s|d(yn)?)?dsl in clientwords (so, covers adsl,
sdsl, ddsl, and dyndsl ... I've seen all of those except ddsl)

11) added res(net|ident(ial)?)? to clientwords (rr.com supposedly uses
".res." in residential/customer IP hostnames, and ".resnet." is common
at universities for dorm IP addresses)

12) contemplating adding cpe and cust(omer)? to the controversial
clientwords (I think cpe = customer (presence/provided/?) equipment)



----


To Do before 1.0:

1) prepend __ to sub-rules, only BOTNET proper should not have that

2) separate the SA routines from the core algorithms, so that the botnet
checks can be used in other perl programs.  Include a script that takes
an IP addr and answers where/how it passed/failed.

3) try to do a lookup on the sender's email address domain; if it points
back to the relay's IP address (A record, or one of the MX records),
then that's less likely to be a botnet.  Use this like
BOTNET_SERVERWORDS -- just a counter to BOTNET_CLIENT.  What about SPF,
too? (I think that was a suggestion in one of the alternate meta rules)

4) credits for help I've gotten from other people

5) get listed in the wiki

More information about the MIMEDefang mailing list