Botnet 0.6 plugin for Spam Assassin availabile

Tom admin at homemachine.net
Fri Dec 8 12:15:18 GMT 2006 

what does tis mean??

Lint output: [18529] warn: plugin: failed to parse plugin (from @INC): 
Can't locate Mail/SpamAssassin/Plugin/botnet.pm in @INC (@INC contains: 
lib /usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi 
/usr/lib/perl5/vendor_perl/5.8.0 
/usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 
/usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi 
/usr/lib/perl5/site_perl/5.8.0 /usr/lib/perl5/site_perl 
/usr/lib/perl5/vendor_perl) at (eval 61) line 1.
[18529] warn: plugin: failed to create instance of plugin 
Mail::SpamAssassin::Plugin::botnet: Can't locate object method "new" via 
package "Mail::SpamAssassin::Plugin::botnet" at (eval 62) line 1.
[18529] warn: plugin: failed to load plugin 
/etc/mail/spamassassin/Botnet.pm: No such file or directory
[18529] warn: plugin: failed to create instance of plugin 
Mail::SpamAssassin::Plugin::Botnet: Can't locate object method "new" via 
package "Mail::SpamAssassin::Plugin::Botnet" (perhaps you forgot to load 
"Mail::SpamAssassin::Plugin::Botnet"?) at (eval 700) line 1.
[18529] warn: config: failed to parse line, skipping: botnet_pass_auth 0
[18529] warn: config: failed to parse line, skipping: botnet_skip_ip 
^127\.0\.0\.1$
[18529] warn: config: failed to parse line, skipping: botnet_skip_ip 
^10\..*$
[18529] warn: config: failed to parse line, skipping: botnet_skip_ip 
^172\.1[6789]\..*$
[18529] warn: config: failed to parse line, skipping: botnet_skip_ip 
^172\.2[0-9]\..*$
[18529] warn: config: failed to parse line, skipping: botnet_skip_ip 
^172\.3[01]\..*$
[18529] warn: config: failed to parse line, skipping: botnet_skip_ip 
^192\.168\..*$
[18529] warn: config: failed to parse line, skipping: 
botnet_pass_domains amazon\.com
[18529] warn: config: failed to parse line, skipping: 
botnet_pass_domains apple\.com
[18529] warn: config: failed to parse line, skipping: 
botnet_pass_domains ebay\.com
[18529] warn: config: failed to parse line, skipping: botnet_clientwords 
= cable catv ddns dhcp dial-?up dip (a|s|d(yn)?)?dsl
[18529] warn: config: failed to parse line, skipping: botnet_clientwords 
= dynamic modem ppp res(net|ident(ial)?)?
[18529] warn: config: failed to parse line, skipping: botnet_clientwords 
= client fixed pool static user
[18529] warn: config: failed to parse line, skipping: botnet_serverwords 
= mail mta mx relay smtp
[18529] warn: rules: failed to run BOTNET_CLIENTWORDS test, skipping:
[18529] warn:  (Can't locate object method "botnet_clientwords" via 
package "Mail::SpamAssassin::PerMsgStatus" at 
/usr/lib/perl5/vendor_perl/5.8.0/Mail/SpamAssassin/PerMsgStatus.pm line 
2638.
[18529] warn: )
[18529] warn: rules: failed to run BOTNET_SERVERWORDS test, skipping:
[18529] warn:  (Can't locate object method "botnet_serverwords" via 
package "Mail::SpamAssassin::PerMsgStatus" at 
/usr/lib/perl5/vendor_perl/5.8.0/Mail/SpamAssassin/PerMsgStatus.pm line 
2638.
[18529] warn: )
[18529] warn: rules: failed to run BOTNET_IPINHOSTNAME test, skipping:
[18529] warn:  (Can't locate object method "botnet_ipinhostname" via 
package "Mail::SpamAssassin::PerMsgStatus" at 
/usr/lib/perl5/vendor_perl/5.8.0/Mail/SpamAssassin/PerMsgStatus.pm line 
2638.
[18529] warn: )
[18529] warn: rules: failed to run BOTNET_NORDNS test, skipping:
[18529] warn:  (Can't locate object method "botnet_nordns" via package 
"Mail::SpamAssassin::PerMsgStatus" at 
/usr/lib/perl5/vendor_perl/5.8.0/Mail/SpamAssassin/PerMsgStatus.pm line 
2638.
[18529] warn: )
[18529] warn: lint: 18 issues detected, please rerun with debug enabled 
for more information



John Rudd wrote:
> 
> (I had a bout of insomnia last night, and got more done than I had 
> pre-announced yesterday...)
> 
> 
> The next version of the Botnet plugin for Spam Assassin is ready.  The 
> install instructions are in the Botnet.txt file, and in the INSTALL file.
> 
> For those who don't know what Botnet is, it's a plugin which tries to 
> identify whether or not the message has been submitted by a 
> botnet/spam-zombie type host by looking at its DNS characteristics (no 
> reverse DNS, reverse DNS that doesn't resolve, or doesn't resolve back 
> to the relay's IP, or reverse DNS that contains things that look like an 
> ISP's client address).  The places I've been using it, and the people I 
> hear about who are using it, have seen a high degree of success.
> 
> It can be downloaded from:
> 
>  http://people.ucsc.edu/~jrudd/spamassassin/Botnet.tar
> 
> 
> As usual, feedback, statistics, bug reports, feature suggestions, are 
> all welcome.
> 
> NOTE: This will be the last version I announce outside of the SA users 
> mailing list.  I don't want to wear out the patience of the other list 
> owners.  users at spamassassin.apache.org is where I'll make all further 
> release announcements.
> 
> 
> What's new in 0.6:
> 
> 
> 1) IP in Hostname bug fix (the same IP address octet could be matched 
> twice.. which was a problem if the octet was "1", and the hostname had a 
> sub-string like "101" in it)
> 
> 2) pass_domains, clientwords, and serverwords weren't insensitive checks
> 
> 3) typo fixed in botnet.txt
> 
> 4) moved to Net::DNS (finally; and it's going to be needed for To Do 
> item #3)
> 
> 5) perl package is now named Mail::SpamAssassin::Plugin::Botnet
> 
> 6) because clientwords and serverwords are meant to be _words_, they are 
> now wrapped by (\b|\d) (both before and after the word/expression). This 
> is to help avoid false positives where a clientword might have been a 
> substring of a larger word that shouldn't have triggered the check 
> (similarly for serverwords).
> 
> 7) similarly, pass_domains now have a leading (\.|\A) added to them IF 
> they don't already have \. or \A in front (but it will be added if the 
> expression starts with "." -- since this is a regular expression, that 
> is assumed to mean any single character, so be careful).
> 
> 8) added debug output for parse_config
> 
> 9) added "mta" and "relay" to serverwords (used by classmates.com and/or 
> reunion.com)
> 
> 10) changed dsl to (a|s|d(yn)?)?dsl in clientwords (so, covers adsl, 
> sdsl, ddsl, and dyndsl ... I've seen all of those except ddsl)
> 
> 11) added res(net|ident(ial)?)? to clientwords (rr.com supposedly uses 
> ".res." in residential/customer IP hostnames, and ".resnet." is common 
> at universities for dorm IP addresses)
> 
> 12) contemplating adding cpe and cust(omer)? to the controversial 
> clientwords (I think cpe = customer (presence/provided/?) equipment)
> 
> 
> 
> ----
> 
> 
> To Do before 1.0:
> 
> 1) prepend __ to sub-rules, only BOTNET proper should not have that
> 
> 2) separate the SA routines from the core algorithms, so that the botnet 
> checks can be used in other perl programs.  Include a script that takes 
> an IP addr and answers where/how it passed/failed.
> 
> 3) try to do a lookup on the sender's email address domain; if it points 
> back to the relay's IP address (A record, or one of the MX records), 
> then that's less likely to be a botnet.  Use this like 
> BOTNET_SERVERWORDS -- just a counter to BOTNET_CLIENT.  What about SPF, 
> too? (I think that was a suggestion in one of the alternate meta rules)
> 
> 4) credits for help I've gotten from other people
> 
> 5) get listed in the wiki
> 
>

More information about the MailScanner mailing list