Re: Botnet plugin still relevant?
On Wed, 17 Mar 2010 14:45:53 -0700, John Rudd jr...@ucsc.edu wrote: Some people need to put in some alternate values for DNS timeouts, but if you've got a local caching name server, you typically don't need that. There aren't any actual bugs in it that I'm aware of, so I haven't released a new version. As I see it, there isn't a need (and that is a somewhat controversial statement with some of the more opinionated people around here). I do still see some things that get nailed by it ... but there's lots of those same hosts that get caught by the Spamhaus PBL. So, it kind of depends on what you're doing with PBL and/or Zen, as to whether or not you need Botnet. But, there are still plenty of things coming from that class of hosts, so if you don't use one, I'd definitely recommend using the other. Yeah, I've been having problems recently which I think are related to me using both Zen/PBL along with the Botnet plugin weighted to score level 5, even if I were to have it lower at 3 it would still be too much. Many users are complaining and when I finally get some useful messages with headers to analyze I am finding something like the following: X-Spam-Report: * 3.3 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL * [213.6.61.151 listed in zen.dnsbl] * 1.0 RCVD_IN_BRBL RBL: Received via relay listed in Barracuda RBL * [213.6.61.151 listed in b.barracudacentral.org] * 1.4 RCVD_IN_BRBL_LASTEXT RBL: RCVD_IN_BRBL_LASTEXT * [213.6.61.151 listed in bb.barracudacentral.org] * 0.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address * [213.6.61.151 listed in dnsbl.sorbs.net] * 0.8 SPF_NEUTRAL SPF: sender does not match SPF record (neutral) * 5.0 BOTNET Relay might be a spambot or virusbot * [botnet0.8,ip=213.6.61.151,rdns=a61-151.adsl.paltel.net,maildomain=palnet.com,client,ipinhostname,clientwords] * 1.0 RDNS_DYNAMIC Delivered to internal network by host with * dynamic-looking rDNS This brings it over the 8 threshold, although it is a legitimate email From a user who has unfortunately been saddled with a dynamic IP that previously was used by a spammer. No amount of explanation to these users about this is going to assuage their feelings, and there isn't really anything that can be done by them. They can complain to their ISP I guess, they could also find another ISP, but these are not particularly productive steps towards resolving this problem. I'm interested in other suggestions that I offer people as alternatives, but until then I think I may need to remove Botnet from the equation. micah pgpOYcMscG6vB.pgp Description: PGP signature
Re: Botnet plugin still relevant?
On 22.3.2010 16:51, micah anderson wrote: On Wed, 17 Mar 2010 14:45:53 -0700, John Rudd jr...@ucsc.edu wrote: Some people need to put in some alternate values for DNS timeouts, but if you've got a local caching name server, you typically don't need that. There aren't any actual bugs in it that I'm aware of, so I haven't released a new version. As I see it, there isn't a need (and that is a somewhat controversial statement with some of the more opinionated people around here). I do still see some things that get nailed by it ... but there's lots of those same hosts that get caught by the Spamhaus PBL. So, it kind of depends on what you're doing with PBL and/or Zen, as to whether or not you need Botnet. But, there are still plenty of things coming from that class of hosts, so if you don't use one, I'd definitely recommend using the other. Yeah, I've been having problems recently which I think are related to me using both Zen/PBL along with the Botnet plugin weighted to score level 5, even if I were to have it lower at 3 it would still be too much. Many users are complaining and when I finally get some useful messages with headers to analyze I am finding something like the following: X-Spam-Report: * 3.3 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL * [213.6.61.151 listed in zen.dnsbl] * 1.0 RCVD_IN_BRBL RBL: Received via relay listed in Barracuda RBL * [213.6.61.151 listed in b.barracudacentral.org] * 1.4 RCVD_IN_BRBL_LASTEXT RBL: RCVD_IN_BRBL_LASTEXT * [213.6.61.151 listed in bb.barracudacentral.org] * 0.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address * [213.6.61.151 listed in dnsbl.sorbs.net] * 0.8 SPF_NEUTRAL SPF: sender does not match SPF record (neutral) * 5.0 BOTNET Relay might be a spambot or virusbot * [botnet0.8,ip=213.6.61.151,rdns=a61-151.adsl.paltel.net,maildomain=palnet.com,client,ipinhostname,clientwords] * 1.0 RDNS_DYNAMIC Delivered to internal network by host with * dynamic-looking rDNS This brings it over the 8 threshold, although it is a legitimate email From a user who has unfortunately been saddled with a dynamic IP that previously was used by a spammer. No amount of explanation to these users about this is going to assuage their feelings, and there isn't really anything that can be done by them. They can complain to their ISP I guess, they could also find another ISP, but these are not particularly productive steps towards resolving this problem. I'm interested in other suggestions that I offer people as alternatives, but until then I think I may need to remove Botnet from the equation. micah It looks like the sender has operated his own smtp server and not used his ISP as a smart host. That is bad practice, with a real server not a single of those rules would have triggeted. Especially Botnet does not have any knowledge about earlier spamming. Botnet does not care. -- http://www.iki.fi/jarif/ Q: What is purple and concord the world? A: Alexander the Grape. signature.asc Description: OpenPGP digital signature
Re: Botnet plugin still relevant?
On Mon, Mar 22, 2010 at 07:51, micah anderson mi...@riseup.net wrote: From a user who has unfortunately been saddled with a dynamic IP that previously was used by a spammer. No amount of explanation to these users about this is going to assuage their feelings, and there isn't really anything that can be done by them. They can complain to their ISP I guess, they could also find another ISP, but these are not particularly productive steps towards resolving this problem. I'm interested in other suggestions that I offer people as alternatives, but until then I think I may need to remove Botnet from the equation. Or you could just put that relay into your botnet cf file so that it doesn't get scored by botnet. That's what the botnet_pass_ip entries are there for. Using the example you just gave, you could just do: botnet_pass_ip^213\.6\.61\.151$ Then just do whatever you need to in your spamassassin environment to make that live (reload something, etc.). Then that particular host wont ever trigger botnet again.
Re: Botnet plugin still relevant?
On Mon, 22 Mar 2010, micah anderson wrote: Many users are complaining and when I finally get some useful messages with headers to analyze I am finding something like the following: X-Spam-Report: * 3.3 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL * [213.6.61.151 listed in zen.dnsbl] * 1.0 RCVD_IN_BRBL RBL: Received via relay listed in Barracuda RBL * [213.6.61.151 listed in b.barracudacentral.org] * 1.4 RCVD_IN_BRBL_LASTEXT RBL: RCVD_IN_BRBL_LASTEXT * [213.6.61.151 listed in bb.barracudacentral.org] * 0.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address * [213.6.61.151 listed in dnsbl.sorbs.net] * 0.8 SPF_NEUTRAL SPF: sender does not match SPF record (neutral) * 5.0 BOTNET Relay might be a spambot or virusbot * [botnet0.8,ip=213.6.61.151,rdns=a61-151.adsl.paltel.net,maildomain=palnet.com,client,ipinhostname,clientwords] * 1.0 RDNS_DYNAMIC Delivered to internal network by host with * dynamic-looking rDNS This brings it over the 8 threshold, although it is a legitimate email From a user who has unfortunately been saddled with a dynamic IP that previously was used by a spammer. If your users are connecting from random public Internet dynamic-IP hosts, are you using SMTP authentication? If so, there should be data about that authentication in the Received: headers that you can use within SA to whitelist them and offset legitimate results like those above. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Mine eyes have seen the horror of the voting of the horde; They've looted the fromagerie where guv'ment cheese is stored; If war's not won before the break they grow so quickly bored; Their vote counts as much as yours. -- Tam --- 164 days since President Obama won the Nobel Not George W. Bush prize
Re: Botnet plugin still relevant?
micah anderson mi...@riseup.net wrote: Yeah, I've been having problems recently which I think are related to me using both Zen/PBL along with the Botnet plugin weighted to score level 5, even if I were to have it lower at 3 it would still be too much. Are you using the PBL appropriately? http://www.spamhaus.org/pbl/ says-- Caution: Because the PBL lists normal customer IP space, do not use PBL on smarthosts or SMTP AUTH outbound servers for your own customers (or you risk blocking your own customers if their dynamic IPs are in the PBL). Do not use PBL in filters that do any deep parsing of Received headers, or for other than checking IP addresses that hand off to your mailservers. Joseph Brennan Columbia University Information Technology
Re: Botnet plugin still relevant?
On Mon, 22 Mar 2010 10:51:20 -0400 micah anderson mi...@riseup.net wrote: Yeah, I've been having problems recently which I think are related to me using both Zen/PBL along with the Botnet plugin weighted to score level 5, even if I were to have it lower at 3 it would still be too much. If you look in the BOTNET documentation, it's possible to have BOTNET as a meta rule rather than have the logic inside the plugin. IMO it would be sensible to score PBL at 0.001 and bring it inside a BOTNET meta rule, and rescore BOTNET at the current value of the PBL score.
Re: Botnet plugin still relevant?
Micah anderson wrote on Mon, 22 Mar 2010 10:51:20 -0400: This brings it over the 8 threshold, although it is a legitimate email From a user who has unfortunately been saddled with a dynamic IP Most ISPs reject direct mail from non-static IP addresses nowadays. If you combine this with John Hardin's suggestion you don't need the botnet plugin or do RBL lookups for these clients at all (I guess you would need a new plugin for this, though). Kai -- Get your web at Conactive Internet Services: http://www.conactive.com
Re: Botnet plugin still relevant?
On Mon, 22 Mar 2010, Kai Schaetzl wrote: Micah anderson wrote on Mon, 22 Mar 2010 10:51:20 -0400: This brings it over the 8 threshold, although it is a legitimate email From a user who has unfortunately been saddled with a dynamic IP Most ISPs reject direct mail from non-static IP addresses nowadays. If you combine this with John Hardin's suggestion you don't need the botnet plugin or do RBL lookups for these clients at all (I guess you would need a new plugin for this, though). How do you reject mail from a non-static IP without doing a DNSBL lookup (e.g. Zen)? If you're suggesting most ISPs are doing egress filtering on port 25 from their dynamic spaces, that's good for them, but until _all_ ISPs do that DNSBLs will still be useful. My suggestion doesn't involve discarding botnet or DNSBLs, it involves offsetting their scores for those instances where you _know_ the mail from a suspicious IP address is legitimate and wanted. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Men by their constitutions are naturally divided in to two parties: 1. Those who fear and distrust the people and wish to draw all powers from them into the hands of the higher classes. 2. Those who identify themselves with the people, have confidence in them, cherish and consider them as the most honest and safe, although not the most wise, depository of the public interests. -- Thomas Jefferson --- 164 days since President Obama won the Nobel Not George W. Bush prize
Re: Botnet plugin still relevant?
John Hardin wrote on Mon, 22 Mar 2010 10:47:35 -0700 (PDT): How do you reject mail from a non-static IP without doing a DNSBL lookup (e.g. Zen)? we are talking about lookups from SA here ;-) And these you can disable if you reject such mail, anyway. Kai -- Get your web at Conactive Internet Services: http://www.conactive.com
Re: Botnet plugin still relevant?
Some people need to put in some alternate values for DNS timeouts, but if you've got a local caching name server, you typically don't need that. There aren't any actual bugs in it that I'm aware of, so I haven't released a new version. As I see it, there isn't a need (and that is a somewhat controversial statement with some of the more opinionated people around here). I do still see some things that get nailed by it ... but there's lots of those same hosts that get caught by the Spamhaus PBL. So, it kind of depends on what you're doing with PBL and/or Zen, as to whether or not you need Botnet. But, there are still plenty of things coming from that class of hosts, so if you don't use one, I'd definitely recommend using the other. John Rudd On Wed, Mar 17, 2010 at 14:34, Micah Anderson mi...@riseup.net wrote: Hi, I've been using the Botnet plugin version 0.8 for some time now, and the plugin itself has been around since 2003 or so. I'm just curious to test the waters and see what other's think about the relevance in 2010 of this plugin. Does it still contribute in positive ways to your setup? I do not see a newer version of the plugin since 2007, is there a newer version than 0.8? Did you do any configuration of it beyond its defaults? Does the proliferation of individuals on dynamically assigned cable/dsl modems cause the plugin to misfire too often? I've had a number of complaints somewhat recently about the last point, and I don't have much of a solution to the situation where a user is stuck with the dynamically assigned IP that previously a spammer was occupying, except to explain that is the situation and eventually it will change. thanks for any thoughts or experiences with this plugin! micah ps. I notice it is not listed on http://wiki.apache.org/spamassassin/CustomPlugins and I wonder the reason why?
Re: Botnet plugin still relevant?
On Wed, 17 Mar 2010 17:34:08 -0400 Micah Anderson mi...@riseup.net wrote: Hi, I've been using the Botnet plugin version 0.8 for some time now, and the plugin itself has been around since 2003 or so. I'm just curious to test the waters and see what other's think about the relevance in 2010 of this plugin. Does it still contribute in positive ways to your setup? I do not see a newer version of the plugin since 2007, is there a newer version than 0.8? What it's trying to do hasn't really changed. There was a report that IPv6 connections FP though. IMO much of the functionality in botnet should be brought into the core so everything integrates better. There are already some overlapping tests, but they are patchy and incoherent. The most important thing is to fix the problem of missing rdns either by infilling or simply a means to tell SA which MX servers don't support it. Did you do any configuration of it beyond its defaults? Chiefly the default score is a bit too high. Does the proliferation of individuals on dynamically assigned cable/dsl modems cause the plugin to misfire too often? The whole point of the plugin is to detect such accounts when they are delivering direct to MX. The FP's tend to be real mail-servers that have odd dns. In this day and age no-one with a dynamic address should deliver direct to MX. I've had a number of complaints somewhat recently about the last point, and I don't have much of a solution to the situation where a user is stuck with the dynamically assigned IP that previously a spammer was occupying, except to explain that is the situation and eventually it will change. This has nothing to do with Botnet, and it shouldn't have much of an effect - provided they are sending through a smarthost. The blocklists that contain Botnets only run on the last external address to avoid that problem.
