Botnet 0.5 plugin

John Rudd jrudd at ucsc.edu
Sat Dec 2 16:06:15 GMT 2006


Changes in 0.5:


1) in case there's a problem with SA reading the MTA's rdns value for 
the relay's hostname, Botnet will do a gethostbyaddr call _once_ per 
message.  This may incur a slight performance hit.  You can mitigate 
this by having a caching DNS server on whatever hosts are doing your 
spam assassin checks.

2) botnet_skip_domains allows you to specify domain name regular 
expressions which will be matched against the rdns value for the relay. 
  In the case of a match, no Botnet rules will hit.

3) hopefully fixed a small problem in the "IP in Hostname" check.  The 
hexidecimal and decimal octets are now checked in separate expressions.

4) added "mx" to the list of botnet_serverwords

5) added all of the rfc (forget which number) private IP blocks to 
botnet_skip_ip.


Unless people find bugs, have a better solution for #1, or think that #4 
causes too many misses, I think this might end up becoming the 1.0 
release in a week or two.  The 1.0 release will probably also include a 
file of suggested modifications to the meta rules, for people who want 
to link them in with DK, etc.  (I'll try to track those down, but it 
might be best to email me off-list with "Botnet Metarule Alternative" in 
the subject, for such suggestions).  And a I'll make a thank you note to 
various people who have contributed suggestions, code, feedback, stats, 
etc. somewhere in Botnet.txt.



http://people.ucsc.edu/~jrudd/spamassassin/Botnet.tar

(which is now a symlink to Botnet-0.5.tar ; the 0.4 is in the same 
directory as Botnet-0.4.tar)


Install instructions are in the files INSTALL and Botnet.txt




More information about the MailScanner mailing list