Botnet 0.4 Spam Assassin plugin

[John Rudd]

(since I've recently mentioned this plugin on the mailscanner and 
communigate pro mailing lists, as an effective means of catching spam 
from botnets, I'm cross-posting this message)


I've changed RelayChecker's name to Botnet (since that's its real 
purpose: identify potential botnet submitted messages).  Here's the 0.4 
release.

Botnet is a spam assassin plugin which attempts to identify whether or 
not a message was submitted via a botnet host.  It does this by looking 
at its DNS characteristics.

http://people.ucsc.edu/~jrudd/spamassassin/Botnet.tar

Install instructions are in the Botnet.txt file and in the INSTALL text 
file.


Changes:

1) Changed all of the rules from RELAY_CHECKER_* to BOTNET_*

2) Changed all of the config items from relaychecker_* to botnet_*

3) While the config items were stored in the global Spam Assassin Config 
hash, they were stored with names like "skip_ip" instead of 
relaychecker_skip_ip.  Now they're stored with botnet_skip_ip, so that 
they don't conflict with any other plugin's potential "skip_ip" 
configuration parameter.

4) I've removed the '*_reduced_dns' option.  Instead, Botnet 
automatically uses the rdns= part of the Untrusted Relay pseudo-header 
for the hostname.  This reduces the number of DNS checks by up to 5 
checks.  It still does a DNS check in the BOTNET_BADDNS rule.  You can 
avoid that one DNS check if you set that rule's score to 0.

5) BOTNET_BADDNS has a 4 part score now (0.01 0.01 0.00 0.01) so that it 
will properly be disabled if you're not doing network checks.

6) the *_IPHOSTNAME rule changed to BOTNET_IPINHOSTNAME.  Similarly, the 
corresponding function is botnet_ipinhostname.

7) There are now two keyword checks.  BOTNET_CLIENTWORDS is the same as 
the old keyword rule: it looks for words that look like client 
hostnames.  Now there is also a BOTNET_SERVERWORDS for words that look 
like mail server hostnames.  It acts as a counter to BOTNET_CLIENTWORDS 
and BOTNET_IPINHOSTNAME.

(I honestly wasn't sure what to think of what became the SERVERWORDS 
feature when it was suggested ... but it hasn't been causing any 
problems with its default word list ("mail" and "smtp"))

8) The botnet_serverwords config option works like the old 
relaychecker_keywords config option (space delimited regular expressions 
for words to use in the BOTNET_SERVERWORDS rule).  The 
relaychecker_keywords config has been changed to botnet_clientwords.

9) The BOTNET meta rule has 3 things it looks at: BOTNET_NORDNS, 
BOTNET_BADDNS and a new meta rule BOTNET_CLIENT.  BOTNET_CLIENT is as 
follows:

(BOTNET_IPINHOSTNAME || BOTNET_CLIENTWORDS) && !BOTNET_SERVERWORDS

10) There's now an INSTALL file with very general installation 
instructions, and some install instructions in Botnet.txt (less general 
than the INSTALL file).

11) Oh, and, the included cf file had one of my own local address 
exceptions in it (my mail server subnet at work).  I have taken that out 
of the released cf file.  (I was surprised no one had mentioned it)

12) The BOTNET rule is now worth 5 points, instead of 6.  It would be 
interesting to know what people have found as useful scores for the plugin.



So, let me know what you think.  Let me know if you find any bugs, what 
your hit/miss/fp stats are (one person said 78% accuracy with 1% fp's), 
things like that.  I hope no one has any new feature suggestions... it 
seems like it's pretty close to addressing the complete picture.  I'm 
hoping my next release is going to be 1.0.

Also, I'm trying to decide on two things:

a) Does anyone think I _should_ switch to Net::DNS for the botnet_baddns 
function?  Or is the gethostbyname() call good enough?

b) It seems kind of cluttered to have all of the various BOTNET_* rules 
show up in the test list and detailed report.  But I have kept it that 
way, instead of changing their names to have __ in front, so that I can 
see what sub-rules were specifically triggered.  What are people's 
opinions on that, for the 1.0 release:
     i) do you want me to leave it as it is, or
    ii) put in the __ so that the sub-rules stop showing up in the
        final report?