[Mimedefang] Botnet 0.4 Spam Assassin plugin

John Rudd john at rudd.cc
Thu Nov 23 06:10:32 EST 2006


(since I've recently mentioned this plugin on the mailscanner and
communigate pro mailing lists, as an effective means of catching spam
from botnets, I'm cross-posting this message (as well as cross-posting 
it to the mimedefang mailing list)


I've changed RelayChecker's name to Botnet (since that's its real
purpose: identify potential botnet submitted messages).  Here's the 0.4
release.

Botnet is a spam assassin plugin which attempts to identify whether or
not a message was submitted via a botnet host.  It does this by looking
at its DNS characteristics.

http://people.ucsc.edu/~jrudd/spamassassin/Botnet.tar

Install instructions are in the Botnet.txt file and in the INSTALL text
file.


Changes:

1) Changed all of the rules from RELAY_CHECKER_* to BOTNET_*

2) Changed all of the config items from relaychecker_* to botnet_*

3) While the config items were stored in the global Spam Assassin Config
hash, they were stored with names like "skip_ip" instead of
relaychecker_skip_ip.  Now they're stored with botnet_skip_ip, so that
they don't conflict with any other plugin's potential "skip_ip"
configuration parameter.

4) I've removed the '*_reduced_dns' option.  Instead, Botnet
automatically uses the rdns= part of the Untrusted Relay pseudo-header
for the hostname.  This reduces the number of DNS checks by up to 5
checks.  It still does a DNS check in the BOTNET_BADDNS rule.  You can
avoid that one DNS check if you set that rule's score to 0.

5) BOTNET_BADDNS has a 4 part score now (0.01 0.01 0.00 0.01) so that it
will properly be disabled if you're not doing network checks.

6) the *_IPHOSTNAME rule changed to BOTNET_IPINHOSTNAME.  Similarly, the
corresponding function is botnet_ipinhostname.

7) There are now two keyword checks.  BOTNET_CLIENTWORDS is the same as
the old keyword rule: it looks for words that look like client
hostnames.  Now there is also a BOTNET_SERVERWORDS for words that look
like mail server hostnames.  It acts as a counter to BOTNET_CLIENTWORDS
and BOTNET_IPINHOSTNAME.

(I honestly wasn't sure what to think of what became the SERVERWORDS
feature when it was suggested ... but it hasn't been causing any
problems with its default word list ("mail" and "smtp"))

8) The botnet_serverwords config option works like the old
relaychecker_keywords config option (space delimited regular expressions
for words to use in the BOTNET_SERVERWORDS rule).  The
relaychecker_keywords config has been changed to botnet_clientwords.

9) The BOTNET meta rule has 3 things it looks at: BOTNET_NORDNS,
BOTNET_BADDNS and a new meta rule BOTNET_CLIENT.  BOTNET_CLIENT is as
follows:

(BOTNET_IPINHOSTNAME || BOTNET_CLIENTWORDS) && !BOTNET_SERVERWORDS

10) There's now an INSTALL file with very general installation
instructions, and some install instructions in Botnet.txt (less general
than the INSTALL file).

11) Oh, and, the included cf file had one of my own local address
exceptions in it (my mail server subnet at work).  I have taken that out
of the released cf file.  (I was surprised no one had mentioned it)

12) The BOTNET rule is now worth 5 points, instead of 6.  It would be
interesting to know what people have found as useful scores for the plugin.



So, let me know what you think.  Let me know if you find any bugs, what
your hit/miss/fp stats are (one person said 78% accuracy with 1% fp's),
things like that.  I hope no one has any new feature suggestions... it
seems like it's pretty close to addressing the complete picture.  I'm
hoping my next release is going to be 1.0.

Also, I'm trying to decide on two things:

a) Does anyone think I _should_ switch to Net::DNS for the botnet_baddns
function?  Or is the gethostbyname() call good enough?

b) It seems kind of cluttered to have all of the various BOTNET_* rules
show up in the test list and detailed report.  But I have kept it that
way, instead of changing their names to have __ in front, so that I can
see what sub-rules were specifically triggered.  What are people's
opinions on that, for the 1.0 release:
     i) do you want me to leave it as it is, or
    ii) put in the __ so that the sub-rules stop showing up in the
        final report?








More information about the MIMEDefang mailing list