(I had a bout of insomnia last night, and got more done than I had pre-announced yesterday...)
The next version of the Botnet plugin for Spam Assassin is ready. The install instructions are in the Botnet.txt file, and in the INSTALL file. For those who don't know what Botnet is, it's a plugin which tries to identify whether or not the message has been submitted by a botnet/spam-zombie type host by looking at its DNS characteristics (no reverse DNS, reverse DNS that doesn't resolve, or doesn't resolve back to the relay's IP, or reverse DNS that contains things that look like an ISP's client address). The places I've been using it, and the people I hear about who are using it, have seen a high degree of success. It can be downloaded from: http://people.ucsc.edu/~jrudd/spamassassin/Botnet.tar As usual, feedback, statistics, bug reports, feature suggestions, are all welcome. NOTE: This will be the last version I announce outside of the SA users mailing list. I don't want to wear out the patience of the other list owners. [email protected] is where I'll make all further release announcements. What's new in 0.6: 1) IP in Hostname bug fix (the same IP address octet could be matched twice.. which was a problem if the octet was "1", and the hostname had a sub-string like "101" in it) 2) pass_domains, clientwords, and serverwords weren't insensitive checks 3) typo fixed in botnet.txt 4) moved to Net::DNS (finally; and it's going to be needed for To Do item #3) 5) perl package is now named Mail::SpamAssassin::Plugin::Botnet 6) because clientwords and serverwords are meant to be _words_, they are now wrapped by (\b|\d) (both before and after the word/expression). This is to help avoid false positives where a clientword might have been a substring of a larger word that shouldn't have triggered the check (similarly for serverwords). 7) similarly, pass_domains now have a leading (\.|\A) added to them IF they don't already have \. or \A in front (but it will be added if the expression starts with "." -- since this is a regular expression, that is assumed to mean any single character, so be careful). 8) added debug output for parse_config 9) added "mta" and "relay" to serverwords (used by classmates.com and/or reunion.com) 10) changed dsl to (a|s|d(yn)?)?dsl in clientwords (so, covers adsl, sdsl, ddsl, and dyndsl ... I've seen all of those except ddsl) 11) added res(net|ident(ial)?)? to clientwords (rr.com supposedly uses ".res." in residential/customer IP hostnames, and ".resnet." is common at universities for dorm IP addresses) 12) contemplating adding cpe and cust(omer)? to the controversial clientwords (I think cpe = customer (presence/provided/?) equipment) ---- To Do before 1.0: 1) prepend __ to sub-rules, only BOTNET proper should not have that 2) separate the SA routines from the core algorithms, so that the botnet checks can be used in other perl programs. Include a script that takes an IP addr and answers where/how it passed/failed. 3) try to do a lookup on the sender's email address domain; if it points back to the relay's IP address (A record, or one of the MX records), then that's less likely to be a botnet. Use this like BOTNET_SERVERWORDS -- just a counter to BOTNET_CLIENT. What about SPF, too? (I think that was a suggestion in one of the alternate meta rules) 4) credits for help I've gotten from other people 5) get listed in the wiki _______________________________________________ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list [email protected] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
