John Rudd wrote:
I've written a plugin for Spam Assassin that does the relay checks I
used to do in MimeDefang. The purpose of these checks is to try to
identify those messages that are likely to be coming directly (with no
intermediary mail server) from a zombie-bot, and are thus likely to be
spam (or maybe virus) content. It does this by looking at
characteristics of how ISPs and large networks tend to layout the
hostnames of their dynamic hosts and end clients. This includes:
1) no RDNS for the machines that aren't intended to talk to the outside
world
2) RDNS that doesn't lead back to a valid A record
3) RDNS that is forged (leads to an A record which doesn't resolve back
to the IP you started with)
4) Contains the hosts IP address within the hostname
5) Contains standard key words within the hostname (but not in the TLD
nor registered domain name), such as "dhcp", "dialup", "dial-up", "dsl",
etc.
From this, a score of 5 or 6 is generated (it's really 4+ number of
checks failed, but several of the checks are mutually exclusive). This
should be enough to flag the message for review/quarantine, but not
enough to automatically delete or reject the message (because none of
you are doing that at a score of 5 or 6, right? right.). Thus, a false
positive will merely result in a quarantine situation.
In my own results, I have seen this to be HIGHLY accurate. I have yet
to get a false positive ... but it has caught several types of spam that
other methods simply haven't been able to catch (or require significant
processing, such as OCR, to catch).
The two files you need (put them in /etc/mail/spamassassin ... or
wherever you want to put your plugins) are:
http://people.ucsc.edu/~jrudd/spamassassin/RelayChecker.cf
http://people.ucsc.edu/~jrudd/spamassassin/RelayChecker.pm
some notes:
1) I don't use Net::DNS for my checks, I use the built in perl get*
calls. Mostly because I haven't looked at Net::DNS yet. If someone
wanted to submit that code change to me, I'd gladly look at it. I'll
get to it eventually on my own, though (might as well; SA already uses
Net::DNS, right?).
2) This sort of replaces the other set of rules I created, that did this
with metarules instead of a plugin. This made some of the checks less
useful. You probably don't need to use both methods.
3) for those who object to SA checks that aren't purely about message
content, you wont like this plugin. It's about trying to remove a class
of sender (spambots, and mis-configured clients that aren't using their
own domain's mail server for outbound traffic), where that class of
sender is OVERWHELMINGLY likely to be generating spam. Just like open
relays are overwhelmingly likely to be generating spam. My hope is that
it may eliminate, or severely reduce, the spambot problem: this is a
feature of the sending machine that the spammer and bot-master have _NO_
control over, so they can't adjust their content nor behaviors to adapt
to it. They would simply have to give up using systems whose DNS
configuration matche these tests.
So, if people could take a look at it, test it, see if it does what it
advertises, and see if it's as accurate as my experience indicates, I
would appreciate getting feedback. If it pans out, I'll see about
putting it in a tar ball, and submitting it to the wiki's list of plugins.
Hi,
Right off the bat I've disabled it. It, of course, hits on all mail my
local users send. That's not really acceptable in an ISP situation so
I've turned it off until tomorrow when I have the time to look at the
code and see if I can disable the check for specific IP's or host names.
I can say it was hitting on a lot of spam that was passing through as
clean before, so there is quite a bit of merit to the idea. It would
just need the ability to ignore local clients.
Regards,
Rick
