Jens Schleusener wrote:
On Thu, 4 Jan 2007, John Rudd wrote:
Dimitri Yioulos wrote:
First, I wish all a very happy and healthy New Year.
I hope this is the proper place to ask this: several days ago, I upgraded
to Botnet-0.7 from 0.6; the latter had apparently been working fine with the
installed SA 3.1.7. I installed as per instruction (no heavy lifting
there). Now, no Botnet rules are ever hit, even though I suspect that some
particular spam has been sent via a bot. If I reinstall 0.6, I get rule
hits. What have I not done/done wrong?
Thanks.
Dimitri
Do you get much output if you take one of the messages and do this (assuming
you're on some form of unix):
spamassassin -D < $message_file | grep -i botnet
I found a similar behaviour as described on a test server.
Using
spamassassin -D < $message_file 2>&1 | grep -i botnet
doh! Yeah, forgot to redirect STDERR.
I found that in my case probably the default Botnet.cf configuration line
# If there are trusted relays, then look to see if there's a
# public IP address; if so, then pass the message through.
botnet_pass_trusted public
is the causer since the test server receives the mails from a mail relay
that uses a private 172.x.x.x address. Debug extract with the
default configuration:
Is that a typo? Did you mean 127.x.x.x?
dbg: Botnet: starting
dbg: Botnet: found private trusted
dbg: Botnet: skipping
Hm. That's odd. You had the setting set to "public", but it skipped
for a "private" trusted address? I'll have to look at why that's happening.
I don't suppose you could send me an example message where this change
made a difference?
But "undefining" the variable "botnet_pass_trusted" I got
dbg: Botnet: starting
dbg: Botnet: get_relay good RDNS
dbg: Botnet: IP is '189.156.64.193'
dbg: Botnet: RDNS is 'dsl-189-156-64-193.prod-infinitum.com.mx'
dbg: Botnet: HELO is '!189.156.64.193!'
dbg: Botnet: sender [EMAIL PROTECTED]
dbg: Botnet: hit (baddns,client,ipinhostname,clientwords)
dbg: rules: ran eval rule BOTNET ======> got hit
Greetings
Jens
