Auth question (WAS: Botnet 0.5 plugin)

Sun Dec 3 21:21:21 GMT 2006

John Rudd wrote:
[snip]
> http://people.ucsc.edu/~jrudd/spamassassin/Botnet.tar
> 
> (which is now a symlink to Botnet-0.5.tar ; the 0.4 is in the same
> directory as Botnet-0.4.tar)
[snip]

I've been using "botnet_pass_auth 1", and didn't quite understand what you meant
in a previous message about pseudo-header in '...fields in ... pseudo-header ...
is "auth="'; what I'm seeing (and try do avoid) is something like this:

> Received: via tmail-2002(14) ...
> Return-path: ...
> Envelope-to: ...
> Delivery-date: Sun, 03 Dec 2006 13:01:32 -0600
> Received: from mail.legosoft.com.mx ([200.52.129.137])
> 	by cactus-soft.dyndns.org with esmtps (TLSv1:AES256-SHA:256)
> 	(Exim 4.63)
> 	(envelope-from <...>)
> 	id J9POUJ-0001MC-JY
> 	for rberber at ...; Sun, 03 Dec 2006 13:01:32 -0600
> Received: from MARISELA (dsl-189-149-70-163.prod-infinitum.com.mx [189.149.70.163] (may be forged))
> 	(authenticated bits=0)
1 -------^^^^^^^^^^^^^^^^^^^^
> 	by mail.legosoft.com.mx (8.13.8/8.13.8) with ESMTP id kB3G26P6019032
> 	for <rberber at ...>; Sun, 3 Dec 2006 10:02:16 -0600 (CST)
> Message-Id: <200612031602.kB3G26P6019032 at mail.legosoft.com.mx>
> From: "..." <...>
> To: "=?iso-8859-1?Q?'Ren=E9_Berber'?=" <rberber at ...>
> Subject: ...
> Date: Sun, 3 Dec 2006 10:02:06 -0600
> MIME-Version: 1.0
> Content-Type: multipart/alternative;
> 	boundary="----=_NextPart_000_0003_01C716C2.1F3A00F0"
> X-Mailer: Microsoft Office Outlook, Build 11.0.5510
> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
> Thread-Index: AccW9GD5UG5vVXnpT66NFT8U+/qKaQ==
> X-LegoSoft-MailScanner: Found to be clean
> X-LegoSoft-MailScanner-SpamCheck: no es spam (whitelisted),
> 	SpamAssassin (no almacenado, puntaje=5.456, requerido 5,
> 	autolearn=disabled, BOTNET, BOTNET_BADDNS, BOTNET_CLIENT,
> 	BOTNET_CLIENTWORDS, BOTNET_IPINHOSTNAME, HTML_MESSAGE,
2 ------^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> 	MSGID_FROM_MTA_ID, RCVD_IN_SORBS_DUL)
> X-LegoSoft-MailScanner-From: ...
> X-Spam-Status: No

The user was (1) authenticated, and (2) Botnet didn't know about it so it scored
the message (which is whitelisted in MS).

Does anybody know how to make SA (and Botnet) aware of the authentication?

I already added to SA's configuration:

> header LOCAL_AUTH_RCVD        Received =~ /\(authenticated bits=\d\)\n\s+by mail
> \.legosoft\.com\.mx /

but it may be syntactically incorrect, I'm not sure how to treat the newline so
I used "\s+", I could try "$\s+" instead.
-- 
René Berber

P.S.  I don't see why the new Botnet.cf has "botnet_pass_domains  amazon\.com",
they don't use IP in Hostname (I checked logs and several messages from them,
they have a number, but it's unrelated to the IP).