Re: Botnet plugin still relevant?

John Hardin wrote on Mon, 22 Mar 2010 10:47:35 -0700 (PDT): > How do you reject mail from a non-static IP without doing a DNSBL lookup > (e.g. Zen)? we are talking about lookups from SA here ;-) And these you can disable if you reject such mail, anyway. Kai -- Get your web at Conactive Inter

Re: Botnet plugin still relevant?

On Mon, 22 Mar 2010, Kai Schaetzl wrote: Micah anderson wrote on Mon, 22 Mar 2010 10:51:20 -0400: This brings it over the 8 threshold, although it is a legitimate email From a user who has unfortunately been saddled with a dynamic IP Most ISPs reject direct mail from non-static IP addresses

Re: Botnet plugin still relevant?

Micah anderson wrote on Mon, 22 Mar 2010 10:51:20 -0400: > This brings it over the 8 threshold, although it is a legitimate email > From a user who has unfortunately been saddled with a dynamic IP Most ISPs reject direct mail from non-static IP addresses nowadays. If you combine this with John H

Re: Botnet plugin still relevant?

On Mon, 22 Mar 2010 10:51:20 -0400 micah anderson wrote: > Yeah, I've been having problems recently which I think are related to > me using both Zen/PBL along with the Botnet plugin weighted to score > level 5, even if I were to have it lower at 3 it would still be too > much. If you look in t

Re: Botnet plugin still relevant?

micah anderson wrote: Yeah, I've been having problems recently which I think are related to me using both Zen/PBL along with the Botnet plugin weighted to score level 5, even if I were to have it lower at 3 it would still be too much. Are you using the PBL appropriately?

Re: Botnet plugin still relevant?

On Mon, 22 Mar 2010, micah anderson wrote: Many users are complaining and when I finally get some useful messages with headers to analyze I am finding something like the following: X-Spam-Report: * 3.3 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL * [213.6.61.151 l

Re: Botnet plugin still relevant?

On Mon, Mar 22, 2010 at 07:51, micah anderson wrote: > From a user who has unfortunately been saddled with a dynamic IP that > previously was used by a spammer. No amount of explanation to these > users about this is going to assuage their feelings, and there isn't > really anything that can be d

Re: Botnet plugin still relevant?

On 22.3.2010 16:51, micah anderson wrote: > On Wed, 17 Mar 2010 14:45:53 -0700, John Rudd wrote: >> Some people need to put in some alternate values for DNS timeouts, but >> if you've got a local caching name server, you typically don't need >> that. >> >> There aren't any actual bugs in it that I

Re: Botnet plugin still relevant?

On Wed, 17 Mar 2010 14:45:53 -0700, John Rudd wrote: > Some people need to put in some alternate values for DNS timeouts, but > if you've got a local caching name server, you typically don't need > that. > > There aren't any actual bugs in it that I'm aware of, so I haven't > released a new versi

Re: Botnet plugin still relevant?

On Wed, 17 Mar 2010 17:34:08 -0400 Micah Anderson wrote: > > Hi, > > I've been using the Botnet plugin version 0.8 for some time now, and > the plugin itself has been around since 2003 or so. I'm just curious > to test the waters and see what other's think about the relevance in > 2010 of this

Re: Botnet plugin still relevant?

Some people need to put in some alternate values for DNS timeouts, but if you've got a local caching name server, you typically don't need that. There aren't any actual bugs in it that I'm aware of, so I haven't released a new version. As I see it, there isn't a need (and that is a somewhat contr

Re: BOTNET plugin download

On Mon, Jun 8, 2009 at 16:31, alexus wrote: > whats botnet plugin? It's a SpamAssassin plugin looks at DNS configurations and attempts to identify hosts that are probably actually clients that are sending email directly to your server, instead of through their own mail server. There's a high like

Re: BOTNET plugin download

whats botnet plugin? On Mon, Jun 8, 2009 at 7:23 PM, John Rudd wrote: > On Mon, Jun 8, 2009 at 09:55, Jari Fredriksson wrote: >>> The BOTNET plugin isn't covered in the CustomPlugins wiki >>> page. When I Googled it I found this: >>> >>> http://people.ucsc.edu/~jrudd/spamassassin/Botnet.tar >>> >>

Re: BOTNET plugin download

On Mon, Jun 8, 2009 at 09:55, Jari Fredriksson wrote: >> The BOTNET plugin isn't covered in the CustomPlugins wiki >> page. When I Googled it I found this: >> >> http://people.ucsc.edu/~jrudd/spamassassin/Botnet.tar >> >> but it's a bit old. Is there a later version? > > That's 0.8 which is AFAIK t

Re: BOTNET plugin download

> The BOTNET plugin isn't covered in the CustomPlugins wiki > page. When I Googled it I found this: > > http://people.ucsc.edu/~jrudd/spamassassin/Botnet.tar > > but it's a bit old. Is there a later version? That's 0.8 which is AFAIK the latest.

Re: Botnet plugin

On Sun, January 18, 2009 19:03, mouss wrote: > This may not be a problem for you, but other people may want to > score if PTR is dynamic (even if helo is not). and reject in mta if both is dynamic :) -- Benny Pedersen Need more webspace ? http://www.servage.net/?coupon=cust37098

Re: Botnet plugin

Henrik K a écrit : > On Sun, Jan 18, 2009 at 03:45:25PM +0100, mouss wrote: >> Henrik K a écrit : >[snip] >>> Less info only if you are running a sad MTA, that doesn't properly resolve. >> not completely true. >> >> $ host 220.174.1.163 >> 163.1.174.220.in-addr.arpa domain name pointer >> 163.1.174

Re: Botnet plugin

On Sun, Jan 18, 2009 at 03:45:25PM +0100, mouss wrote: > Henrik K a écrit : > > On Fri, Jan 16, 2009 at 01:52:46PM +0100, Jonas Eckerman wrote: > >> Benny Pedersen wrote: > >> > >>> i have changed to use BadRelay from > >>> http://sa.hege.li/BadRelay.pm > >>> http://sa.hege.li/BadRelay.cf > >> Afte

Re: Botnet plugin

Henrik K a écrit : > On Fri, Jan 16, 2009 at 01:52:46PM +0100, Jonas Eckerman wrote: >> Benny Pedersen wrote: >> >>> i have changed to use BadRelay from >>> http://sa.hege.li/BadRelay.pm >>> http://sa.hege.li/BadRelay.cf >> After reading BadRelay.pm I see that it does not really replace Botnet. >>

Re: Botnet plugin

Henrik K wrote: Less info only if you are running a sad MTA, that doesn't properly resolve. I guess the SOHO rule is exception, That was what I meant. :-) Check for IP in hostname? Does anyone have actual stats, that it's somehow better than a generic \d+-\d+ regex or whatever? Sometimes it'

Re: Botnet plugin

On Fri, Jan 16, 2009 at 01:52:46PM +0100, Jonas Eckerman wrote: > Benny Pedersen wrote: > >> i have changed to use BadRelay from > >> http://sa.hege.li/BadRelay.pm >> http://sa.hege.li/BadRelay.cf > > After reading BadRelay.pm I see that it does not really replace Botnet. > > Some of the difference

Re: Botnet plugin

Mark Martinec wrote: In a while I'll send a patch to the author. That is noble, but apparently it doesn't have any effect. When Botnet was known as RelayChecker I made a suggestion to the author. That suggestion was incorporated in the code. For some reason I take that as an indicator th

Re: Botnet plugin

Benny Pedersen wrote: i have changed to use BadRelay from http://sa.hege.li/BadRelay.pm http://sa.hege.li/BadRelay.cf After reading BadRelay.pm I see that it does not really replace Botnet. Some of the differences in what is checked are due to Botnet doing DNS-lookups while BadRelay avo

Re: Botnet plugin (was: Temporary 'Replacements' for SaneSecurity)

On Thu, Jan 15, 2009 at 09:06, Mark Martinec wrote: > Jonas, > >> I just found one reason for FPs in the Botnet plugin. It doesn't >> make a difference between timeouts (and other DNS errors) and >> negative answers. So if your DNS server/proxy is overloaded (or >> slow for some other reason), you

Re: Botnet plugin patch - avoid FPs from DNS timeouts

I'll incorporate this into the next version. Thanks :-) On Thu, Jan 15, 2009 at 12:47, Jonas Eckerman wrote: > Hello! > > Here's a small patch for the Botnet plugin. > > The difference from the original is that it doesn't treat a timeout or DNS > error the same as a not found answer. This should

Re: Botnet plugin (was: Temporary 'Replacements' for SaneSecurity)

On Thu, January 15, 2009 18:06, Mark Martinec wrote: > Not to forget the long-standing DNS problem with Botnet: > http://marc.info/?l=spamassassin-users&m=118641079630268 > http://marc.info/?l=spamassassin-users&m=120783518919154 i have changed to use BadRelay from http://sa.hege.li/BadRela

Re: Botnet plugin (was: Temporary 'Replacements' for SaneSecurity)

Jonas, > I just found one reason for FPs in the Botnet plugin. It doesn't > make a difference between timeouts (and other DNS errors) and > negative answers. So if your DNS server/proxy is overloaded (or > slow for some other reason), you'll get FPs > > Since 15 minutes ago, I'm running a slightly

RE: Botnet plugin (was: Temporary 'Replacements' for SaneSecurity)

> > I just found one reason for FPs in the Botnet plugin. It > doesn't make a difference between timeouts (and other DNS > errors) and negative answers. So if your DNS server/proxy is > overloaded (or slow for some other reason), you'll get FPs > > Since 15 minutes ago, I'm running a slight

Re: Botnet Plugin

John Rudd wrote: In my opinion, the Botnet plugin should recognize that as botnet, but I could be wrong. Botnet is looking for hosts whose DNS looks like a dynamic or dial-up customer. So, if the host has no reverse DNS, the reverse DNS doesn't match forward DNS, or the forward DNS contains

Re: Botnet Plugin

Claude Frantz wrote: However, one thing to recognize is that botnet does not parse the Received headers themselves. Spam Assassin does, and puts them into psuedoheaders. Those pseudoheaders are what botnet processes. What exactly contain the pseudoheaders ? You could look at the code or

Re: Botnet Plugin

Daniel J McDonald schrieb: On Fri, 2007-06-08 at 14:53 +0200, arni wrote: Can you tell me what you thin i'm doing wrong? [EMAIL PROTECTED] Desktop]$ host 87.118.96.151 151.96.118.87.in-addr.arpa domain name pointer ns.rds27912.i4e-server.de. [EMAIL PROTECTED] Desktop]$ host ns.rds27912

Re: Botnet Plugin

Heute (08.06.2007/14:34 Uhr) schrieb arni, > Where do i find this botnet plugin? > arni http://people.ucsc.edu/~jrudd/spamassassin/ -- Viele Gruesse, Kind regards, Jim Knuth [EMAIL PROTECTED] ICQ #277289867 -- Zufalls-Zitat -- Schwerere als Luft? Flugmaschinen sind unmögli

Re: Botnet Plugin

Claude Frantz schrieb: Hi. This is the qmail-send program at rds27912.i4e-server.de. I'm afraid I wasn't able to deliver your message to the following addresses. This is a permanent error; I've given up. Sorry it didn't work out. <[EMAIL PROTECTED]>: 137.193.10.37 does not like recipient. Remote

Re: Botnet Plugin

Where do i find this botnet plugin? arni

Re: Botnet Plugin

John Rudd wrote: The diagnostic output for that message would have been useful. OK ! Here it is, a long as Botnet is concerned: [21114] dbg: Botnet: checking baddns [21114] dbg: Botnet: get_relay good RDNS [21114] dbg: Botnet: IP is '195.82.166.1' [21114] dbg: Botnet: RDNS is 'ludwik.warynski

Re: Botnet Plugin

The diagnostic output for that message would have been useful. However, one thing to recognize is that botnet does not parse the Received headers themselves. Spam Assassin does, and puts them into psuedoheaders. Those pseudoheaders are what botnet processes. Claude Frantz wrote: The Botn

Re: Botnet Plugin

In what way is botnet not properly processing the headers in question? Claude Frantz wrote: Claude Frantz wrote: The Botnet Plugin is not able to recognize the following sequence: Another case: Received: from OrangeSrv.rz.unibw-muenchen.de ([127.0.0.1]) by localhost (OrangeSrv.rz.unibw-m

Re: Botnet Plugin

Claude Frantz wrote: The Botnet Plugin is not able to recognize the following sequence: Another case: Received: from OrangeSrv.rz.unibw-muenchen.de ([127.0.0.1]) by localhost (OrangeSrv.rz.unibw-muenchen.de [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 12512-05 for <[EMAIL PROTECTED

Re: Botnet Plugin Download Link?

Kevin W. Gagel schrieb: Matthias, Worked fine for me. Try it again if it still doesn't work for you - I've uploaded a copy to my public share at: http://mail.cnc.bc.ca/users/gagel/Botnet.tar Thx alot. It was a temporarily problem, it is good to have an alternative download location. I'll k

Re: Botnet Plugin Download Link?

Matthias, Worked fine for me. Try it again if it still doesn't work for you - I've uploaded a copy to my public share at: http://mail.cnc.bc.ca/users/gagel/Botnet.tar I'll keep it there till next week. - Original Message - From: Matthias Haegele <[EMAIL PROTECTED]> To: SpamAssassin Subj

Re: Botnet Plugin Download Link?

Matthias Haegele wrote: Hello! http://people.ucsc.edu/~jrudd/spamassassin/Botnet.tar link seems to be dead, since John Rudd is not listed at people, the link perhaps moved? Any tips? That's still the right/current URL. Just looks like people.ucsc.edu might be down right now.

Re: Botnet plugin

On Thu, 25 Jan 2007, Jason Little wrote: > > I was wondering about the maturity of the botnet plugin and where I can get > my hands on it again. I used an early version of it for a while but I > removed it because we didn't really need it and now it seems I need it again > with all the spammers f