Botnet 0.5 plugin
John Rudd
jrudd at ucsc.edu
Sat Dec 2 16:06:15 GMT 2006
Changes in 0.5:
1) in case there's a problem with SA reading the MTA's rdns value for
the relay's hostname, Botnet will do a gethostbyaddr call _once_ per
message. This may incur a slight performance hit. You can mitigate
this by having a caching DNS server on whatever hosts are doing your
spam assassin checks.
2) botnet_skip_domains allows you to specify domain name regular
expressions which will be matched against the rdns value for the relay.
In the case of a match, no Botnet rules will hit.
3) hopefully fixed a small problem in the "IP in Hostname" check. The
hexidecimal and decimal octets are now checked in separate expressions.
4) added "mx" to the list of botnet_serverwords
5) added all of the rfc (forget which number) private IP blocks to
botnet_skip_ip.
Unless people find bugs, have a better solution for #1, or think that #4
causes too many misses, I think this might end up becoming the 1.0
release in a week or two. The 1.0 release will probably also include a
file of suggested modifications to the meta rules, for people who want
to link them in with DK, etc. (I'll try to track those down, but it
might be best to email me off-list with "Botnet Metarule Alternative" in
the subject, for such suggestions). And a I'll make a thank you note to
various people who have contributed suggestions, code, feedback, stats,
etc. somewhere in Botnet.txt.
http://people.ucsc.edu/~jrudd/spamassassin/Botnet.tar
(which is now a symlink to Botnet-0.5.tar ; the 0.4 is in the same
directory as Botnet-0.4.tar)
Install instructions are in the files INSTALL and Botnet.txt
More information about the MailScanner
mailing list