Botnet 0.6 plugin for Spam Assassin availabile

John Rudd jrudd at ucsc.edu
Thu Dec 7 18:33:47 GMT 2006 

(I had a bout of insomnia last night, and got more done than I had 
pre-announced yesterday...)


The next version of the Botnet plugin for Spam Assassin is ready.  The 
install instructions are in the Botnet.txt file, and in the INSTALL file.

For those who don't know what Botnet is, it's a plugin which tries to 
identify whether or not the message has been submitted by a 
botnet/spam-zombie type host by looking at its DNS characteristics (no 
reverse DNS, reverse DNS that doesn't resolve, or doesn't resolve back 
to the relay's IP, or reverse DNS that contains things that look like an 
ISP's client address).  The places I've been using it, and the people I 
hear about who are using it, have seen a high degree of success.

It can be downloaded from:

  http://people.ucsc.edu/~jrudd/spamassassin/Botnet.tar


As usual, feedback, statistics, bug reports, feature suggestions, are 
all welcome.

NOTE: This will be the last version I announce outside of the SA users 
mailing list.  I don't want to wear out the patience of the other list 
owners.  users at spamassassin.apache.org is where I'll make all further 
release announcements.


What's new in 0.6:


1) IP in Hostname bug fix (the same IP address octet could be matched 
twice.. which was a problem if the octet was "1", and the hostname had a 
sub-string like "101" in it)

2) pass_domains, clientwords, and serverwords weren't insensitive checks

3) typo fixed in botnet.txt

4) moved to Net::DNS (finally; and it's going to be needed for To Do 
item #3)

5) perl package is now named Mail::SpamAssassin::Plugin::Botnet

6) because clientwords and serverwords are meant to be _words_, they are 
now wrapped by (\b|\d) (both before and after the word/expression). 
This is to help avoid false positives where a clientword might have been 
a substring of a larger word that shouldn't have triggered the check 
(similarly for serverwords).

7) similarly, pass_domains now have a leading (\.|\A) added to them IF 
they don't already have \. or \A in front (but it will be added if the 
expression starts with "." -- since this is a regular expression, that 
is assumed to mean any single character, so be careful).

8) added debug output for parse_config

9) added "mta" and "relay" to serverwords (used by classmates.com and/or 
reunion.com)

10) changed dsl to (a|s|d(yn)?)?dsl in clientwords (so, covers adsl, 
sdsl, ddsl, and dyndsl ... I've seen all of those except ddsl)

11) added res(net|ident(ial)?)? to clientwords (rr.com supposedly uses 
".res." in residential/customer IP hostnames, and ".resnet." is common 
at universities for dorm IP addresses)

12) contemplating adding cpe and cust(omer)? to the controversial 
clientwords (I think cpe = customer (presence/provided/?) equipment)



----


To Do before 1.0:

1) prepend __ to sub-rules, only BOTNET proper should not have that

2) separate the SA routines from the core algorithms, so that the botnet 
checks can be used in other perl programs.  Include a script that takes 
an IP addr and answers where/how it passed/failed.

3) try to do a lookup on the sender's email address domain; if it points 
back to the relay's IP address (A record, or one of the MX records), 
then that's less likely to be a botnet.  Use this like 
BOTNET_SERVERWORDS -- just a counter to BOTNET_CLIENT.  What about SPF, 
too? (I think that was a suggestion in one of the alternate meta rules)

4) credits for help I've gotten from other people

5) get listed in the wiki

More information about the MailScanner mailing list