Botnet 0.4 Spam Assassin plugin

John Rudd jrudd at ucsc.edu
Tue Nov 28 02:07:05 GMT 2006 

René Berber wrote:
> John Rudd wrote:
>> René Berber wrote:
> [snip]
>>> Question: If someone sends a message from home to their workplace, there is only
>>> one relay line (two if you count the local delivery line which usually does not
>>> have an IP address) and it contains a ADSL address, does your plugin score on
>>> that relay line or skips?
>> It will not skip that received line unless you specifically put that
>> relay into your skip/pass list ... or if they're using SMTP-AUTH and SA
>> correctly puts that information into the pseudo-header AND you've set
>> the botnet_pass_auth option.
> 
> I haven't seen where SA can be configured to add the information that the user
> used smtp_auth.

One of the fields in the Untrusted Relays pseudo-header (and presumably 
in the Trusted Relays psuedo-header) is "auth=".  I have _no_ idea how 
that field get set.  I am merely trusting SA to do the right thing.


>>> The point here being that if it scores it gives a false score, just like the
>>> useless half point I see SA adds to that line by using RBLs that list dynamic
>>> addresses... the first relay line should be ignored, and that makes bot-net
>>> detection ineffective.
>> I would say that the first line should NOT be ignored.  Instead:
>>
>> 1) You should require that such submitters use SMTP-AUTH, and possibly
>> have them connect to a back-end system (where spam scanning happens on
>> your front-end systems).  To avoid having your back-end systems targeted
>> by adversaries (to get around your AV/AS scanning), have them require
>> SMTP-AUTH and only allow non-SMTP-AUTH transactions from trusted IP
>> addresses (such as your front end systems).
> 
> But if you use your ISP and it doesn't require authentication then the first
> line is going to produce a score always...

I'm not sure what you're saying.

If you're saying your ISP might be using BOTNET and BOTNET might trigger 
on you submitting messages to them:  They should have you in their 
trusted_networks configuration for SA, and then BOTNET will skip you.

If you're saying some remote receiver might be using BOTNET, then, as 
long as they don't have your ISP in their trusted_networks config, then 
their BOTNET will only look at your ISP's mail server IP, not your end 
client IP.

By "first line", I am referring to the newst/top-most (most recent) 
Received header.  Not the oldest/bottom-most Received header.

More information about the MailScanner mailing list