Auth question (WAS: Botnet 0.5 plugin)

John Rudd jrudd at ucsc.edu
Mon Dec 4 00:53:21 GMT 2006


René Berber wrote:
> John Rudd wrote:
> [snip]
>> http://people.ucsc.edu/~jrudd/spamassassin/Botnet.tar
>>
>> (which is now a symlink to Botnet-0.5.tar ; the 0.4 is in the same
>> directory as Botnet-0.4.tar)
> [snip]
> 
> I've been using "botnet_pass_auth 1", and didn't quite understand what you meant
> in a previous message about pseudo-header in '...fields in ... pseudo-header ...
> is "auth="'; what I'm seeing (and try do avoid) is something like this:
> 
>> Received: via tmail-2002(14) ...
>> Return-path: ...
>> Envelope-to: ...
>> Delivery-date: Sun, 03 Dec 2006 13:01:32 -0600
>> Received: from mail.legosoft.com.mx ([200.52.129.137])
>> 	by cactus-soft.dyndns.org with esmtps (TLSv1:AES256-SHA:256)
>> 	(Exim 4.63)
>> 	(envelope-from <...>)
>> 	id J9POUJ-0001MC-JY
>> 	for rberber at ...; Sun, 03 Dec 2006 13:01:32 -0600
>> Received: from MARISELA (dsl-189-149-70-163.prod-infinitum.com.mx [189.149.70.163] (may be forged))
>> 	(authenticated bits=0)
> 1 -------^^^^^^^^^^^^^^^^^^^^
>> 	by mail.legosoft.com.mx (8.13.8/8.13.8) with ESMTP id kB3G26P6019032
>> 	for <rberber at ...>; Sun, 3 Dec 2006 10:02:16 -0600 (CST)
>> Message-Id: <200612031602.kB3G26P6019032 at mail.legosoft.com.mx>
>> From: "..." <...>
>> To: "=?iso-8859-1?Q?'Ren=E9_Berber'?=" <rberber at ...>
>> Subject: ...
>> Date: Sun, 3 Dec 2006 10:02:06 -0600
>> MIME-Version: 1.0
>> Content-Type: multipart/alternative;
>> 	boundary="----=_NextPart_000_0003_01C716C2.1F3A00F0"
>> X-Mailer: Microsoft Office Outlook, Build 11.0.5510
>> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
>> Thread-Index: AccW9GD5UG5vVXnpT66NFT8U+/qKaQ==
>> X-LegoSoft-MailScanner: Found to be clean
>> X-LegoSoft-MailScanner-SpamCheck: no es spam (whitelisted),
>> 	SpamAssassin (no almacenado, puntaje=5.456, requerido 5,
>> 	autolearn=disabled, BOTNET, BOTNET_BADDNS, BOTNET_CLIENT,
>> 	BOTNET_CLIENTWORDS, BOTNET_IPINHOSTNAME, HTML_MESSAGE,
> 2 ------^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>> 	MSGID_FROM_MTA_ID, RCVD_IN_SORBS_DUL)
>> X-LegoSoft-MailScanner-From: ...
>> X-Spam-Status: No
> 
> The user was (1) authenticated, and (2) Botnet didn't know about it so it scored
> the message (which is whitelisted in MS).
> 
> Does anybody know how to make SA (and Botnet) aware of the authentication?


As far as I understand it, if SA is aware of it, it sets the "auth=" 
field in the Untrusted-Relays and/or Trusted-Relays pseudo-headers to 
something other than empty.

(the pseudo-headers are header-like fields that SA creates, and that you 
can check rules against, but that doesn't exist in the actual message; 
Trusted-Relays is a pseudo-header that contains information about all of 
the Received headers that match hosts in your trusted-networks and 
Untrusted-Relays is a pseudo-header that contains information about all 
of the other Received headers.)

How you get SA to recognize where and when Authentication happened isn't 
something I know.  But once SA does know, it should put that information 
into the auth= field.


> I already added to SA's configuration:
> 
>> header LOCAL_AUTH_RCVD        Received =~ /\(authenticated bits=\d\)\n\s+by mail
>> \.legosoft\.com\.mx /
>

I don't know if that actually makes SA populate the auth= field or not.

Might be good to ask all of this over on the SA list.



More information about the MailScanner mailing list