* John Rudd wrote (07/12/06 18:33): > (I had a bout of insomnia last night, and got more done than I had > pre-announced yesterday...) > > > The next version of the Botnet plugin for Spam Assassin is ready. The > install instructions are in the Botnet.txt file, and in the INSTALL file. > > For those who don't know what Botnet is, it's a plugin which tries to > identify whether or not the message has been submitted by a > botnet/spam-zombie type host by looking at its DNS characteristics (no > reverse DNS, reverse DNS that doesn't resolve, or doesn't resolve back > to the relay's IP, or reverse DNS that contains things that look like an > ISP's client address). The places I've been using it, and the people I > hear about who are using it, have seen a high degree of success. > > It can be downloaded from: > > http://people.ucsc.edu/~jrudd/spamassassin/Botnet.tar > > > As usual, feedback, statistics, bug reports, feature suggestions, are > all welcome.
I've been running the BOTNET rules for a little while now. It's the most-hit rule on the machine (above BAYES_99 even). But I get a significant number of false positives. Here's some sa-stats output: TOP SPAM RULES FIRED ---------------------------------------------------------------------- RANK RULE NAME COUNT %OFMAIL %OFSPAM %OFHAM ---------------------------------------------------------------------- 1 BOTNET 1381 66.37 90.86 6.44 2 BAYES_99 1274 59.50 83.82 0.00 3 HTML_MESSAGE 1184 75.06 77.89 68.12 4 BOTNET_CLIENT 1048 50.21 68.95 4.35 5 BOTNET_IPINHOSTNAME 962 45.45 63.29 1.77 6 URIBL_BLACK 751 35.12 49.41 0.16 7 RCVD_IN_SORBS_DUL 725 33.96 47.70 0.32 8 URIBL_JP_SURBL 688 32.13 45.26 0.00 9 BOTNET_CLIENTWORDS 608 29.61 40.00 4.19 10 URIBL_SC_SURBL 524 24.47 34.47 0.00 I think the default score of 5 is far too high. I'm scoring it at 2 at the moment, which seems OK. I'd quite like to be able to give more score to BOTNET_IPINHOSTNAME than BOTNET_CLIENTWORDS, because it seems to give fewer false positives [I think this will probably improve in 0.6, though]. But this isn't a very big deal. So that's a mild vote against the __ prefix. I added p0f to my arsenal recently, hoping it would work to lower the false-positive rate of BOTNET by checking for Windows machines, but it seems that almost all the BOTNET false positives are Exchange servers, so p0f aggravates rather than mitigates that. Hope this feedback is useful. Thanks for the plugin. I take the view that network tests and RBLs (especially URIBLs), rather than body checks, are the best long-term spam-fighting tools. Chris