Auth question (WAS: Botnet 0.5 plugin)
John Rudd
jrudd at ucsc.edu
Mon Dec 4 00:53:21 GMT 2006
René Berber wrote:
> John Rudd wrote:
> [snip]
>> http://people.ucsc.edu/~jrudd/spamassassin/Botnet.tar
>>
>> (which is now a symlink to Botnet-0.5.tar ; the 0.4 is in the same
>> directory as Botnet-0.4.tar)
> [snip]
>
> I've been using "botnet_pass_auth 1", and didn't quite understand what you meant
> in a previous message about pseudo-header in '...fields in ... pseudo-header ...
> is "auth="'; what I'm seeing (and try do avoid) is something like this:
>
>> Received: via tmail-2002(14) ...
>> Return-path: ...
>> Envelope-to: ...
>> Delivery-date: Sun, 03 Dec 2006 13:01:32 -0600
>> Received: from mail.legosoft.com.mx ([200.52.129.137])
>> by cactus-soft.dyndns.org with esmtps (TLSv1:AES256-SHA:256)
>> (Exim 4.63)
>> (envelope-from <...>)
>> id J9POUJ-0001MC-JY
>> for rberber at ...; Sun, 03 Dec 2006 13:01:32 -0600
>> Received: from MARISELA (dsl-189-149-70-163.prod-infinitum.com.mx [189.149.70.163] (may be forged))
>> (authenticated bits=0)
> 1 -------^^^^^^^^^^^^^^^^^^^^
>> by mail.legosoft.com.mx (8.13.8/8.13.8) with ESMTP id kB3G26P6019032
>> for <rberber at ...>; Sun, 3 Dec 2006 10:02:16 -0600 (CST)
>> Message-Id: <200612031602.kB3G26P6019032 at mail.legosoft.com.mx>
>> From: "..." <...>
>> To: "=?iso-8859-1?Q?'Ren=E9_Berber'?=" <rberber at ...>
>> Subject: ...
>> Date: Sun, 3 Dec 2006 10:02:06 -0600
>> MIME-Version: 1.0
>> Content-Type: multipart/alternative;
>> boundary="----=_NextPart_000_0003_01C716C2.1F3A00F0"
>> X-Mailer: Microsoft Office Outlook, Build 11.0.5510
>> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
>> Thread-Index: AccW9GD5UG5vVXnpT66NFT8U+/qKaQ==
>> X-LegoSoft-MailScanner: Found to be clean
>> X-LegoSoft-MailScanner-SpamCheck: no es spam (whitelisted),
>> SpamAssassin (no almacenado, puntaje=5.456, requerido 5,
>> autolearn=disabled, BOTNET, BOTNET_BADDNS, BOTNET_CLIENT,
>> BOTNET_CLIENTWORDS, BOTNET_IPINHOSTNAME, HTML_MESSAGE,
> 2 ------^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>> MSGID_FROM_MTA_ID, RCVD_IN_SORBS_DUL)
>> X-LegoSoft-MailScanner-From: ...
>> X-Spam-Status: No
>
> The user was (1) authenticated, and (2) Botnet didn't know about it so it scored
> the message (which is whitelisted in MS).
>
> Does anybody know how to make SA (and Botnet) aware of the authentication?
As far as I understand it, if SA is aware of it, it sets the "auth="
field in the Untrusted-Relays and/or Trusted-Relays pseudo-headers to
something other than empty.
(the pseudo-headers are header-like fields that SA creates, and that you
can check rules against, but that doesn't exist in the actual message;
Trusted-Relays is a pseudo-header that contains information about all of
the Received headers that match hosts in your trusted-networks and
Untrusted-Relays is a pseudo-header that contains information about all
of the other Received headers.)
How you get SA to recognize where and when Authentication happened isn't
something I know. But once SA does know, it should put that information
into the auth= field.
> I already added to SA's configuration:
>
>> header LOCAL_AUTH_RCVD Received =~ /\(authenticated bits=\d\)\n\s+by mail
>> \.legosoft\.com\.mx /
>
I don't know if that actually makes SA populate the auth= field or not.
Might be good to ask all of this over on the SA list.
More information about the MailScanner
mailing list