On Thursday 04 January 2007 2:53 pm, Jens Schleusener wrote: > On Thu, 4 Jan 2007, John Rudd wrote: > > Dimitri Yioulos wrote: > > > First, I wish all a very happy and healthy New Year. > > > > > > I hope this is the proper place to ask this: several days ago, I > > > upgraded to Botnet-0.7 from 0.6; the latter had apparently been working > > > fine with the installed SA 3.1.7. I installed as per instruction (no > > > heavy lifting there). Now, no Botnet rules are ever hit, even though I > > > suspect that some particular spam has been sent via a bot. If I > > > reinstall 0.6, I get rule hits. What have I not done/done wrong? > > > > > > Thanks. > > > > > > Dimitri > > > > Do you get much output if you take one of the messages and do this > > (assuming you're on some form of unix): > > > > > > spamassassin -D < $message_file | grep -i botnet > > I found a similar behaviour as described on a test server. > > Using > > spamassassin -D < $message_file 2>&1 | grep -i botnet > > I found that in my case probably the default Botnet.cf configuration line > > # If there are trusted relays, then look to see if there's a > # public IP address; if so, then pass the message through. > botnet_pass_trusted public > > is the causer since the test server receives the mails from a mail relay > that uses a private 172.x.x.x address. Debug extract with the > default configuration: > > dbg: Botnet: starting > dbg: Botnet: found private trusted > dbg: Botnet: skipping > > But "undefining" the variable "botnet_pass_trusted" I got > > dbg: Botnet: starting > dbg: Botnet: get_relay good RDNS > dbg: Botnet: IP is '189.156.64.193' > dbg: Botnet: RDNS is 'dsl-189-156-64-193.prod-infinitum.com.mx' > dbg: Botnet: HELO is '!189.156.64.193!' > dbg: Botnet: sender [EMAIL PROTECTED] > dbg: Botnet: hit (baddns,client,ipinhostname,clientwords) > dbg: rules: ran eval rule BOTNET ======> got hit > > Greetings > > Jens > > -- > Dr. Jens Schleusener T-Systems Solutions for Research GmbH > Tel: +49 551 709-2493 Bunsenstr.10 > Fax: +49 551 709-2169 D-37073 Goettingen > [EMAIL PROTECTED] http://www.t-systems.com/
Using Jens's debug contruct, I get the following output, which I hope will be useful in either coming up with a solution or [once again] proving that I'm a moron (please excuse for the verbosity): [3377] dbg: config: read file /etc/mail/spamassassin/Botnet.cf [3377] dbg: plugin: fixed relative path: /etc/mail/spamassassin/Botnet.pm [3377] dbg: plugin: loading Mail::SpamAssassin::Plugin::Botnet from /etc/mail/spamassassin/Botnet.pm [3377] dbg: Botnet: version 0.7 [3377] dbg: plugin: registered Mail::SpamAssassin::Plugin::Botnet=HASH(0x9833114) [3377] dbg: plugin: Mail::SpamAssassin::Plugin::Botnet=HASH(0x9833114) implements 'parse_config' [3377] dbg: Botnet: setting botnet_pass_auth to 0 [3377] dbg: Botnet: setting botnet_pass_trusted to public [3377] dbg: Botnet: adding ^127\.0\.0\.1$ to botnet_skip_ip [3377] dbg: Botnet: adding ^10\..*$ to botnet_skip_ip [3377] dbg: Botnet: adding ^172\.1[6789]\..*$ to botnet_skip_ip [3377] dbg: Botnet: adding ^172\.2[0-9]\..*$ to botnet_skip_ip [3377] dbg: Botnet: adding ^172\.3[01]\..*$ to botnet_skip_ip [3377] dbg: Botnet: adding ^192\.168\..*$ to botnet_skip_ip [3377] dbg: Botnet: adding ^128\.223\.98\.16$ to botnet_pass_ip [3377] dbg: Botnet: adding (\.|\A)amazon\.com$ to botnet_pass_domains [3377] dbg: Botnet: adding (\.|\A)apple\.com$ to botnet_pass_domains [3377] dbg: Botnet: adding (\.|\A)ebay\.com$ to botnet_pass_domains [3377] dbg: Botnet: adding (\b|\d)(a|s|d(yn)?)?dsl(\b|\d) to botnet_clientwords [3377] dbg: Botnet: adding (\b|\d)cable(\b|\d) to botnet_clientwords [3377] dbg: Botnet: adding (\b|\d)catv(\b|\d) to botnet_clientwords [3377] dbg: Botnet: adding (\b|\d)ddns(\b|\d) to botnet_clientwords [3377] dbg: Botnet: adding (\b|\d)dhcp(\b|\d) to botnet_clientwords [3377] dbg: Botnet: adding (\b|\d)dial(-?up)?(\b|\d) to botnet_clientwords [3377] dbg: Botnet: adding (\b|\d)dip(\b|\d) to botnet_clientwords [3377] dbg: Botnet: adding (\b|\d)docsis(\b|\d) to botnet_clientwords [3377] dbg: Botnet: adding (\b|\d)dyn(amic)?(ip)?(\b|\d) to botnet_clientwords [3377] dbg: Botnet: adding (\b|\d)modem(\b|\d) to botnet_clientwords [3377] dbg: Botnet: adding (\b|\d)ppp(\b|\d) to botnet_clientwords [3377] dbg: Botnet: adding (\b|\d)res(net|ident(ial)?)?(\b|\d) to botnet_clientwords [3377] dbg: Botnet: adding (\b|\d)client(\b|\d) to botnet_clientwords [3377] dbg: Botnet: adding (\b|\d)fixed(\b|\d) to botnet_clientwords [3377] dbg: Botnet: adding (\b|\d)ip(\b|\d) to botnet_clientwords [3377] dbg: Botnet: adding (\b|\d)pool(\b|\d) to botnet_clientwords [3377] dbg: Botnet: adding (\b|\d)static(\b|\d) to botnet_clientwords [3377] dbg: Botnet: adding (\b|\d)user(\b|\d) to botnet_clientwords [3377] dbg: Botnet: adding (\b|\d)mail(\b|\d) to botnet_serverwords [3377] dbg: Botnet: adding (\b|\d)mta(\b|\d) to botnet_serverwords [3377] dbg: Botnet: adding (\b|\d)mx(\b|\d) to botnet_serverwords [3377] dbg: Botnet: adding (\b|\d)relay(\b|\d) to botnet_serverwords [3377] dbg: Botnet: adding (\b|\d)smtp(\b|\d) to botnet_serverwords [3377] dbg: Botnet: adding (\b|\d)exch(ange)?(\b|\d) to botnet_serverwords [3377] dbg: rules: ran header rule __BOTNET_NOTRUST ======> got hit: "negative match" [3377] dbg: Botnet: starting [3377] dbg: Botnet: no trusted relays [3377] dbg: Botnet: All skipped/no untrusted [3377] dbg: Botnet: skipping [3377] dbg: check: subtests=__BOTNET_NOTRUST,__CD,__CT,__ENV_AND_HDR_FROM_MATCH,__FB_NATIONAL, __FB_S_PRICE,__FM_LARGE_MONEY,__FM_MY_PRICE,__FRAUD_DBI,__FRAUD_LTX, __FR_HTML_HAS_AHREF,__F_LARGE_MONEY_2,__HTML_LENGTH_1536_2048, __KAM_NUMBER2,__LOCAL_PP_NONPPURL,__MIME_ATTACHMENT,__MIME_HTML, __MIME_QP,__NONEMPTY_BODY,__SARE_BODY_BLNK_5_100,__SARE_LOTTO_LOTTERY, __SARE_META_MURTY3,__SARE_URI_ANY,__TAG_EXISTS_BODY,__TAG_EXISTS_HEAD, __TAG_EXISTS_HTML,__TAG_EXISTS_META,__UNUSABLE_MSGID -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
