Re: BOTNET 0.8 + SA 3.2.3
On Fri, Jan 11, 2008 at 07:20:59PM -0500, Dave Koontz wrote: Arthur Dent wrote: Nope sorry.. Please confirm... that your botnet.pm file is where your other plugin PM modules reside. And that the botnet.cf file is where your custom rules live (may be a different path depending on configuration). Make sure the botnet.cf is in the same directory as your local.cf file and see if that works. Well here is what I have... [EMAIL PROTECTED] ~]# ls -la /etc/mail/spamassassin/ total 148 drwxr-xr-x 3 root root 4096 2008-01-11 22:54 . drwxr-xr-x 3 root root 4096 2007-12-29 19:48 .. -r--r--r-- 1 root root 4706 2008-01-11 22:54 Botnet.cf -r--r--r-- 1 root root 28616 2008-01-11 22:54 Botnet.pm -rw-r--r-- 1 root root 2522 2006-08-13 09:07 GPG.KEY -rw-r--r-- 1 root root 1299 2007-08-21 15:15 init.pre -rw-r--r-- 1 root root 558 2008-01-02 00:50 local.cf -rwxr--r-- 1 root root 776 2007-12-30 17:52 sare-sa-update-channels.txt drwx-- 2 root root 4096 2008-01-08 02:00 sa-update-keys -rw-r--r-- 1 root root62 2007-08-21 15:15 spamassassin-default.rc -rwxr-xr-x 1 root root35 2007-08-21 15:15 spamassassin-helper.sh -rw-r--r-- 1 root root55 2007-08-21 15:15 spamassassin-spamc.rc -rw-r--r-- 1 root root 2603 2007-08-21 15:15 v310.pre -rw-r--r-- 1 root root 1195 2007-08-21 15:15 v312.pre -rw-r--r-- 1 root root 2416 2007-08-21 15:15 v320.pre [EMAIL PROTECTED] ~]# Seems OK to me But is it?... The thing that really mystifies me is that spammassassin --lint -D seems to show that Botnet is installed correctly. It just doesn't hit anything?... Thanks for your help so far... AD pgpDw0Hsr2cTY.pgp Description: PGP signature
RE: BOTNET 0.8 + SA 3.2.3
Well here is what I have... [EMAIL PROTECTED] ~]# ls -la /etc/mail/spamassassin/ total 148 drwxr-xr-x 3 root root 4096 2008-01-11 22:54 . drwxr-xr-x 3 root root 4096 2007-12-29 19:48 .. -r--r--r-- 1 root root 4706 2008-01-11 22:54 Botnet.cf -r--r--r-- 1 root root 28616 2008-01-11 22:54 Botnet.pm -rw-r--r-- 1 root root 2522 2006-08-13 09:07 GPG.KEY -rw-r--r-- 1 root root 1299 2007-08-21 15:15 init.pre -rw-r--r-- 1 root root 558 2008-01-02 00:50 local.cf -rwxr--r-- 1 root root 776 2007-12-30 17:52 sare-sa-update-channels.txt drwx-- 2 root root 4096 2008-01-08 02:00 sa-update-keys -rw-r--r-- 1 root root62 2007-08-21 15:15 spamassassin-default.rc -rwxr-xr-x 1 root root35 2007-08-21 15:15 spamassassin-helper.sh -rw-r--r-- 1 root root55 2007-08-21 15:15 spamassassin-spamc.rc -rw-r--r-- 1 root root 2603 2007-08-21 15:15 v310.pre -rw-r--r-- 1 root root 1195 2007-08-21 15:15 v312.pre -rw-r--r-- 1 root root 2416 2007-08-21 15:15 v320.pre [EMAIL PROTECTED] ~]# Seems OK to me But is it?... The thing that really mystifies me is that spammassassin --lint -D seems to show that Botnet is installed correctly. It just doesn't hit anything?... Thanks for your help so far... AD AD, What is your platform OS etc? I went to jrudd dload site and pulled down botnet v8 tar to tmp dir and untar I put the two files in /etc/mail/spamassassin I su'd to spamd user spamassassin --lint all ok. Restarted spamassassin and it just works This is on an approx over 2 year old centos 4 install currently at centos4.6 We roll our own spamassassin rpms with rpmbuild -tb spamassassin-x.xx.tar.gz have you ever tailed your spamassassin logs to see if you get botnet hits as opposed to that test email you keep referring too? The other thing you might do is do a search on your machine for any other copies of the Botnet.* files to make sure there is no duplication - rh
Re: BOTNET 0.8 + SA 3.2.3
Hello all, I'm so no nearer a solution to this... To recap: Since upgrading from SA 3.2.2 to SA 3.2.3 I have had no Botnet hits at all. I have checked with SA --lint -D and Botnet v.0.8 seem to be installed correctly. I have run an old message through my current setup that hit Botnet when running SA 3.2.2 and it did not hit now... Any ideas? Is Botnet 0.8 incompatible with SA 3.2.3? Thanks for your help... AD pgptBXkTxvvHm.pgp Description: PGP signature
Re: BOTNET 0.8 + SA 3.2.3
I am running it with SA 3.2.4 with no problems at all. Regards, --[ UxBoD ]-- // PGP Key: curl -s https://www.splatnix.net/uxbod.asc | gpg --import // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: [EMAIL PROTECTED] - Original Message - From: Arthur Dent [EMAIL PROTECTED] To: users@spamassassin.apache.org Sent: 11 January 2008 10:30:48 o'clock (GMT) Europe/London Subject: Re: BOTNET 0.8 + SA 3.2.3 Hello all, I'm so no nearer a solution to this... To recap: Since upgrading from SA 3.2.2 to SA 3.2.3 I have had no Botnet hits at all. I have checked with SA --lint -D and Botnet v.0.8 seem to be installed correctly. I have run an old message through my current setup that hit Botnet when running SA 3.2.2 and it did not hit now... Any ideas? Is Botnet 0.8 incompatible with SA 3.2.3? Thanks for your help... AD -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
RE: BOTNET 0.8 + SA 3.2.3
I am running Botnet 0.8 with SA 3.2.3 without issue. Try a fresh install of all Botnet files. -Original Message- From: UxBoD [mailto:[EMAIL PROTECTED] Sent: Friday, January 11, 2008 5:45 AM To: Arthur Dent Cc: users@spamassassin.apache.org Subject: Re: BOTNET 0.8 + SA 3.2.3 I am running it with SA 3.2.4 with no problems at all. Regards, --[ UxBoD ]-- // PGP Key: curl -s https://www.splatnix.net/uxbod.asc | gpg --import // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: [EMAIL PROTECTED] - Original Message - From: Arthur Dent [EMAIL PROTECTED] To: users@spamassassin.apache.org Sent: 11 January 2008 10:30:48 o'clock (GMT) Europe/London Subject: Re: BOTNET 0.8 + SA 3.2.3 Hello all, I'm so no nearer a solution to this... To recap: Since upgrading from SA 3.2.2 to SA 3.2.3 I have had no Botnet hits at all. I have checked with SA --lint -D and Botnet v.0.8 seem to be installed correctly. I have run an old message through my current setup that hit Botnet when running SA 3.2.2 and it did not hit now... Any ideas? Is Botnet 0.8 incompatible with SA 3.2.3? Thanks for your help... AD -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: BOTNET 0.8 + SA 3.2.3
On Fri, Jan 11, 2008 at 06:49:19AM -0500, Dave Koontz wrote: I am running Botnet 0.8 with SA 3.2.3 without issue. Try a fresh install of all Botnet files. Well I have only recently upgraded my OS from FC6 to F8 (and that's what prompted me to check that everything was working properly). The upgrade of SA took place back in October and it seems that's when Botnet stopped working. However, when I upgraded the OS (last week) it would have included a fresh install of SA and at that time I installed the Botnet files. Correct me if I'm wrong but installing is simply a matter of copying the .pm and .cf files into /etc/mail/spamassassin directory no? I will do so again, but surely my --lint -D seems to indicate that it has installed correctly - or has it? Confused... AD pgpazC8ZKs9t1.pgp Description: PGP signature
Re: BOTNET 0.8 + SA 3.2.3
On Fri, Jan 11, 2008 at 03:56:03PM +, Arthur Dent wrote: On Fri, Jan 11, 2008 at 06:49:19AM -0500, Dave Koontz wrote: I am running Botnet 0.8 with SA 3.2.3 without issue. Try a fresh install of all Botnet files. Well I have only recently upgraded my OS from FC6 to F8 (and that's what prompted me to check that everything was working properly). The upgrade of SA took place back in October and it seems that's when Botnet stopped working. However, when I upgraded the OS (last week) it would have included a fresh install of SA and at that time I installed the Botnet files. Correct me if I'm wrong but installing is simply a matter of copying the .pm and .cf files into /etc/mail/spamassassin directory no? I will do so again, but surely my --lint -D seems to indicate that it has installed correctly - or has it? Confused... AD Nope sorry... Here's what I did: I removed the botnet files from /etc/mail/spamassassin and restarted spamd. I ran --lint which confirmed that no there was no botnet installation. I downloaded Botnet 0.8 *again* from http://people.ucsc.edu/~jrudd/spamassassin/Botnet-0.8.tar I untarred it into a fresh directory. I copied the .cf and .pm files into /etc/mail/spamassassin. I restarted spamd. I ran --lint which gave me exactly the same output as in my original post (confirming an apparently successful installion of Botnet). I ran a previously hitting mail through spamassassin. Nothing. Sigh... What now? Thanks for your help so far... AD pgpl6N0xyQ0OH.pgp Description: PGP signature
RE: BOTNET 0.8 + SA 3.2.3
Nope sorry... Here's what I did: I removed the botnet files from /etc/mail/spamassassin and restarted spamd. I ran --lint which confirmed that no there was no botnet installation. I downloaded Botnet 0.8 *again* from http://people.ucsc.edu/~jrudd/spamassassin/Botnet-0.8.tar I untarred it into a fresh directory. I copied the .cf and .pm files into /etc/mail/spamassassin. I restarted spamd. I ran --lint which gave me exactly the same output as in my original post (confirming an apparently successful installion of Botnet). I ran a previously hitting mail through spamassassin. Nothing. Sigh... What now? Thanks for your help so far... AD AD, This may be totally off the wall, yet wouldn't file ownership and/or permissions on those files make any difference? Possibly even where those files are placed in reference to perl setup? I am wondering mainly in terms of executable file(s) If this theory doesn't help or fix, then I would setup a test machine from scratch and play. It really cannot be that hard to debug in a sandbox can it? :-) - rh
Re: BOTNET 0.8 + SA 3.2.3
Arthur Dent wrote: Nope sorry.. Please confirm... that your botnet.pm file is where your other plugin PM modules reside. And that the botnet.cf file is where your custom rules live (may be a different path depending on configuration). Make sure the botnet.cf is in the same directory as your local.cf file and see if that works.
Re: BOTNET 0.8 + SA 3.2.3
On Friday 11 January 2008 6:20 pm, Dave Koontz wrote: Arthur Dent wrote: Nope sorry.. Please confirm... that your botnet.pm file is where your other plugin PM modules reside. And that the botnet.cf file is where your custom rules live (may be a different path depending on configuration). Make sure the botnet.cf is in the same directory as your local.cf file and see if that works. FWIW, when updating from 0.7 to 0.8 I placed the Botnet.cf file in /etc/mail/spamassassin, and placed the .pm file there also. My log snippets showed that 0.7 was still being used then I remembered I had placed the 0.7 .pm file here after doing some reading about placement of plug-ins: /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/Plugin/Botnet.pm Placing it here and restarting spamassassin now shows that 0.8 is being used. -- Chris KeyID 0xE372A7DA98E6705C pgp4tQ03HnbfV.pgp Description: PGP signature
Re: BOTNET 0.8 + SA 3.2.3
Do you see if get picked up if you run a lint on your SA installation ? Regards, --[ UxBoD ]-- // PGP Key: curl -s https://www.splatnix.net/uxbod.asc | gpg --import // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: [EMAIL PROTECTED] - Original Message - From: Arthur Dent [EMAIL PROTECTED] To: users@spamassassin.apache.org Sent: 09 January 2008 11:09:25 o'clock (GMT) Europe/London Subject: BOTNET 0.8 + SA 3.2.3 Hello all, I have been running SA v3.2.3 since I upgraded from 3.2.2 In October. It has only just dawned on me that since then I have had no hits from Botnet. I have checked, and I did install the Botnet.pm and Botnet.cf files in this into /etc/mail/spamassassin so I am mystified as to why it's not generating any hits. Is Botnet v0.8 incompatible with SA 3.2.3 or have I done something daft? Thanks in advance... AD -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: BOTNET 0.8 + SA 3.2.3
On Wed, Jan 09, 2008 at 11:27:59AM +, UxBoD wrote: Do you see if get picked up if you run a lint on your SA installation ? How does this look to you? Thanks for your help so far... AD $ spamassassin --lint -D 21 | grep -i botnet [26514] dbg: config: read file /etc/mail/spamassassin/Botnet.cf [26514] dbg: config: fixed relative path: /etc/mail/spamassassin/Botnet.pm [26514] dbg: plugin: loading Mail::SpamAssassin::Plugin::Botnet from /etc/mail/spamassassin/Botnet.pm [26514] dbg: Botnet: version 0.8 [26514] dbg: plugin: Mail::SpamAssassin::Plugin::Botnet=HASH(0xa202954) implements 'parse_config', priority 0 [26514] dbg: Botnet: setting botnet_pass_auth to 0 [26514] dbg: Botnet: setting botnet_pass_trusted to public [26514] dbg: Botnet: adding ^127\.0\.0\.1$ to botnet_skip_ip [26514] dbg: Botnet: adding ^10\..*$ to botnet_skip_ip [26514] dbg: Botnet: adding ^172\.1[6789]\..*$ to botnet_skip_ip [26514] dbg: Botnet: adding ^172\.2[0-9]\..*$ to botnet_skip_ip [26514] dbg: Botnet: adding ^172\.3[01]\..*$ to botnet_skip_ip [26514] dbg: Botnet: adding ^192\.168\..*$ to botnet_skip_ip [26514] dbg: Botnet: adding ^128\.223\.98\.16$ to botnet_pass_ip [26514] dbg: Botnet: adding (\.|\A)amazon\.com$ to botnet_pass_domains [26514] dbg: Botnet: adding (\.|\A)apple\.com$ to botnet_pass_domains [26514] dbg: Botnet: adding (\.|\A)ebay\.com$ to botnet_pass_domains [26514] dbg: Botnet: adding (\b|\d).*dsl.*(\b|\d) to botnet_clientwords [26514] dbg: Botnet: adding (\b|\d)cable(\b|\d) to botnet_clientwords [26514] dbg: Botnet: adding (\b|\d)catv(\b|\d) to botnet_clientwords [26514] dbg: Botnet: adding (\b|\d)ddns(\b|\d) to botnet_clientwords [26514] dbg: Botnet: adding (\b|\d)dhcp(\b|\d) to botnet_clientwords [26514] dbg: Botnet: adding (\b|\d)dial(-?up)?(\b|\d) to botnet_clientwords [26514] dbg: Botnet: adding (\b|\d)dip(\b|\d) to botnet_clientwords [26514] dbg: Botnet: adding (\b|\d)docsis(\b|\d) to botnet_clientwords [26514] dbg: Botnet: adding (\b|\d)dyn(amic)?(ip)?(\b|\d) to botnet_clientwords [26514] dbg: Botnet: adding (\b|\d)modem(\b|\d) to botnet_clientwords [26514] dbg: Botnet: adding (\b|\d)ppp(oe)?(\b|\d) to botnet_clientwords [26514] dbg: Botnet: adding (\b|\d)res(net|ident(ial)?)?(\b|\d) to botnet_clientwords [26514] dbg: Botnet: adding (\b|\d)bredband(\b|\d) to botnet_clientwords [26514] dbg: Botnet: adding (\b|\d)client(\b|\d) to botnet_clientwords [26514] dbg: Botnet: adding (\b|\d)fixed(\b|\d) to botnet_clientwords [26514] dbg: Botnet: adding (\b|\d)ip(\b|\d) to botnet_clientwords [26514] dbg: Botnet: adding (\b|\d)pool(\b|\d) to botnet_clientwords [26514] dbg: Botnet: adding (\b|\d)static(\b|\d) to botnet_clientwords [26514] dbg: Botnet: adding (\b|\d)user(\b|\d) to botnet_clientwords [26514] dbg: Botnet: adding (\b|\d)e?mail(out)?(\b|\d) to botnet_serverwords [26514] dbg: Botnet: adding (\b|\d)mta(\b|\d) to botnet_serverwords [26514] dbg: Botnet: adding (\b|\d)mx(pool)?(\b|\d) to botnet_serverwords [26514] dbg: Botnet: adding (\b|\d)relay(\b|\d) to botnet_serverwords [26514] dbg: Botnet: adding (\b|\d)smtp(\b|\d) to botnet_serverwords [26514] dbg: Botnet: adding (\b|\d)exch(ange)?(\b|\d) to botnet_serverwords [26514] dbg: rules: ran header rule __BOTNET_NOTRUST == got hit: negative match [26514] dbg: Botnet: starting [26514] dbg: Botnet: no trusted relays [26514] dbg: Botnet: All skipped/no untrusted [26514] dbg: Botnet: skipping [26514] dbg: check: subtests=__BOTNET_NOTRUST,__HAS_MSGID,__HAVE_BOUNCE_RELAYS,__MISSING_REF,__MSGID_OK_DIGITS,__MSGID_OK_HOST,__MSOE_MID_WRONG_CASE,__NONEMPTY_BODY,__SANE_MSGID,__TVD_BODY,__UNUSABLE_MSGID $ pgp7E63Hx2tRG.pgp Description: PGP signature
Re: BOTNET 0.8 + SA 3.2.3
Ran the same on my installation and all appears the same to me. H, very odd, do you have a email in your quarantine that got tagged before which you could pass through again to test ? [EMAIL PROTECTED] ~]# spamassassin --lint -D 21 | grep -i botnet [26067] dbg: config: read file /etc/mail/spamassassin/Botnet.cf [26067] dbg: config: fixed relative path: /etc/mail/spamassassin/Botnet.pm [26067] dbg: plugin: loading Mail::SpamAssassin::Plugin::Botnet from /etc/mail/spamassassin/Botnet.pm [26067] dbg: Botnet: version 0.8 [26067] dbg: plugin: Mail::SpamAssassin::Plugin::Botnet=HASH(0x212a2ca0) implements 'parse_config', priority 0 [26067] dbg: Botnet: setting botnet_pass_auth to 0 [26067] dbg: Botnet: setting botnet_pass_trusted to public [26067] dbg: Botnet: adding ^127\.0\.0\.1$ to botnet_skip_ip [26067] dbg: Botnet: adding ^10\..*$ to botnet_skip_ip [26067] dbg: Botnet: adding ^172\.1[6789]\..*$ to botnet_skip_ip [26067] dbg: Botnet: adding ^172\.2[0-9]\..*$ to botnet_skip_ip [26067] dbg: Botnet: adding ^172\.3[01]\..*$ to botnet_skip_ip [26067] dbg: Botnet: adding ^192\.168\..*$ to botnet_skip_ip [26067] dbg: Botnet: adding ^128\.223\.98\.16$ to botnet_pass_ip [26067] dbg: Botnet: adding (\.|\A)amazon\.com$ to botnet_pass_domains [26067] dbg: Botnet: adding (\.|\A)apple\.com$ to botnet_pass_domains [26067] dbg: Botnet: adding (\.|\A)ebay\.com$ to botnet_pass_domains [26067] dbg: Botnet: adding (\b|\d).*dsl.*(\b|\d) to botnet_clientwords [26067] dbg: Botnet: adding (\b|\d)cable(\b|\d) to botnet_clientwords [26067] dbg: Botnet: adding (\b|\d)catv(\b|\d) to botnet_clientwords [26067] dbg: Botnet: adding (\b|\d)ddns(\b|\d) to botnet_clientwords [26067] dbg: Botnet: adding (\b|\d)dhcp(\b|\d) to botnet_clientwords [26067] dbg: Botnet: adding (\b|\d)dial(-?up)?(\b|\d) to botnet_clientwords [26067] dbg: Botnet: adding (\b|\d)dip(\b|\d) to botnet_clientwords [26067] dbg: Botnet: adding (\b|\d)docsis(\b|\d) to botnet_clientwords [26067] dbg: Botnet: adding (\b|\d)dyn(amic)?(ip)?(\b|\d) to botnet_clientwords [26067] dbg: Botnet: adding (\b|\d)modem(\b|\d) to botnet_clientwords [26067] dbg: Botnet: adding (\b|\d)ppp(oe)?(\b|\d) to botnet_clientwords [26067] dbg: Botnet: adding (\b|\d)res(net|ident(ial)?)?(\b|\d) to botnet_clientwords [26067] dbg: Botnet: adding (\b|\d)bredband(\b|\d) to botnet_clientwords [26067] dbg: Botnet: adding (\b|\d)client(\b|\d) to botnet_clientwords [26067] dbg: Botnet: adding (\b|\d)fixed(\b|\d) to botnet_clientwords [26067] dbg: Botnet: adding (\b|\d)ip(\b|\d) to botnet_clientwords [26067] dbg: Botnet: adding (\b|\d)pool(\b|\d) to botnet_clientwords [26067] dbg: Botnet: adding (\b|\d)static(\b|\d) to botnet_clientwords [26067] dbg: Botnet: adding (\b|\d)user(\b|\d) to botnet_clientwords [26067] dbg: Botnet: adding (\b|\d)e?mail(out)?(\b|\d) to botnet_serverwords [26067] dbg: Botnet: adding (\b|\d)mta(\b|\d) to botnet_serverwords [26067] dbg: Botnet: adding (\b|\d)mx(pool)?(\b|\d) to botnet_serverwords [26067] dbg: Botnet: adding (\b|\d)relay(\b|\d) to botnet_serverwords [26067] dbg: Botnet: adding (\b|\d)smtp(\b|\d) to botnet_serverwords [26067] dbg: Botnet: adding (\b|\d)exch(ange)?(\b|\d) to botnet_serverwords [26067] dbg: plugin: Mail::SpamAssassin::Plugin::Botnet=HASH(0x212a2ca0) implements 'parse_config', priority 0 [26067] dbg: rules: ran header rule __BOTNET_NOTRUST == got hit: negative match [26067] dbg: Botnet: starting [26067] dbg: Botnet: no trusted relays [26067] dbg: Botnet: All skipped/no untrusted [26067] dbg: Botnet: skipping [26067] dbg: check: subtests=__BOTNET_NOTRUST,__HAS_MSGID,__MISSING_REF,__MSGID_OK_DIGITS,__MSGID_OK_HOST,__MSOE_MID_WRONG_CASE,__NONEMPTY_BODY,__SANE_MSGID,__SARE_WHITELIST_FLAG,__TVD_BODY,__UNUSABLE_MSGID Regards, --[ UxBoD ]-- // PGP Key: curl -s https://www.splatnix.net/uxbod.asc | gpg --import // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: [EMAIL PROTECTED] - Original Message - From: Arthur Dent [EMAIL PROTECTED] To: users@spamassassin.apache.org Sent: 09 January 2008 15:15:32 o'clock (GMT) Europe/London Subject: Re: BOTNET 0.8 + SA 3.2.3 On Wed, Jan 09, 2008 at 11:27:59AM +, UxBoD wrote: Do you see if get picked up if you run a lint on your SA installation ? How does this look to you? Thanks for your help so far... AD $ spamassassin --lint -D 21 | grep -i botnet [26514] dbg: config: read file /etc/mail/spamassassin/Botnet.cf [26514] dbg: config: fixed relative path: /etc/mail/spamassassin/Botnet.pm [26514] dbg: plugin: loading Mail::SpamAssassin::Plugin::Botnet from /etc/mail/spamassassin/Botnet.pm [26514] dbg: Botnet: version 0.8 [26514] dbg: plugin: Mail::SpamAssassin::Plugin::Botnet=HASH(0xa202954) implements 'parse_config', priority 0 [26514] dbg: Botnet: setting botnet_pass_auth to 0 [26514] dbg: Botnet: setting botnet_pass_trusted to public [26514] dbg: Botnet: adding ^127\.0\.0\.1
Re: BOTNET 0.8 + SA 3.2.3
On Wed, Jan 09, 2008 at 04:29:01PM +, UxBoD wrote: Ran the same on my installation and all appears the same to me. H, very odd, do you have a email in your quarantine that got tagged before which you could pass through again to test ? Hmmm.. Good idea... Headers from: 1) Original message rescanned using current configuration (SA 3.2.3) 2) Original message as scanned at the time (SA 3.2.2) What do you think? Thanks for all your help AD 1) CURRENT OUTPUT From [EMAIL PROTECTED] Sun Oct 28 20:00:02 2007 Return-Path: [EMAIL PROTECTED] X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on mydomain.com X-Spam-Level: *** X-Spam-Status: Yes, score=7.8 required=4.5 tests=ANY_BOUNCE_MESSAGE,AWL, BAYES_99,BOUNCE_MESSAGE,MIME_BOUND_DIGITS_15,RDNS_NONE autolearn=no version=3.2.3 X-Spam-Report: * 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% * [score: 1.] * 2.9 MIME_BOUND_DIGITS_15 Spam tool pattern in MIME boundary * 0.1 RDNS_NONE Delivered to trusted network by a host with no rDNS * 0.1 BOUNCE_MESSAGE MTA bounce message * 0.1 ANY_BOUNCE_MESSAGE Message is some kind of bounce message * 1.1 AWL AWL: From: address is in the auto white-list Received: from mydomain.com (localhost.localdomain [127.0.0.1]) by mydomain.com (8.14.1/8.14.1) with ESMTP id l9SK02sv006067 for [EMAIL PROTECTED]; Sun, 28 Oct 2007 20:00:02 GMT Received: from pop3.mail.demon.net [194.217.242.253] by mydomain.com with POP3 (fetchmail-6.3.6) for [EMAIL PROTECTED] (single-drop); Sun, 28 Oct 2007 20:00:02 + (GMT) Received: from punt3.mail.demon.net by mailstore for [EMAIL PROTECTED] id 1ImEI0-2wQknw-02-9z1; Sun, 28 Oct 2007 19:59:16 + Received: from [194.217.242.223] (lhlo=lon1-hub.mail.demon.net) by punt3.mail.demon.net with lmtp id 1ImEI0-2wQknw-02 for [EMAIL PROTECTED]; Sun, 28 Oct 2007 19:59:16 + Received: from [211.115.216.222] (helo=mail-kr.bigfoot.com) by lon1-hub.mail.demon.net with smtp id 1ImEI0-0006nw-8M for [EMAIL PROTECTED]; Sun, 28 Oct 2007 19:59:16 + Date: Sun, 28 Oct 2007 15:59:42 -0400 From: Mail Delivery Subsystem [EMAIL PROTECTED] Message-Id: [EMAIL PROTECTED] To: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: multipart/report; report-type=delivery-status; boundary=200710281542345 Subject: [SPAM (7.8)] Returned mail: Requested action not taken: mailbox unavailable Auto-Submitted: auto-generated (failure) Status: RO Content-Length: 1848 Lines: 54 X-Spam-Prev-Subject: Returned mail: Requested action not taken: mailbox unavailable This is a MIME-encapsulated message --200710281542345 The original message was received at Sun, 28 Oct 2007 15:59:01 -0400 EST from host237-146-dynamic.26-79-r.retail.telecomitalia.it [79.26.145.225] [Snip.] 2) PREVIOUS OUTPUT = From [EMAIL PROTECTED] Sun Oct 28 20:00:02 2007 Return-Path: [EMAIL PROTECTED] X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 3.2.2 (2007-07-23) on mydomain.com X-Spam-Level: *** X-Spam-Status: Yes, score=11.1 required=5.0 tests=ANY_BOUNCE_MESSAGE,BAYES_95, BOTNET,BOTNET_NORDNS,BOUNCE_MESSAGE,MIME_BOUND_DIGITS_15 autolearn=no version=3.2.2 X-Spam-Report: * 2.9 MIME_BOUND_DIGITS_15 Spam tool pattern in MIME boundary * 5.0 BOTNET Relay might be a spambot or virusbot * [botnet0.8,ip=194.217.242.223,maildomain=mydomain.com,nordns] * 0.0 BOTNET_NORDNS Relay's IP address has no PTR record * [botnet_nordns,ip=194.217.242.223] * 3.0 BAYES_95 BODY: Bayesian spam probability is 95 to 99% * [score: 0.9865] * 0.1 BOUNCE_MESSAGE MTA bounce message * 0.1 ANY_BOUNCE_MESSAGE Message is some kind of bounce message Received: from mydomain.com (localhost.localdomain [127.0.0.1]) by mydomain.com (8.14.1/8.14.1) with ESMTP id l9SK02sv006067 for [EMAIL PROTECTED]; Sun, 28 Oct 2007 20:00:02 GMT Received: from pop3.mail.demon.net [194.217.242.253] by mydomain.com with POP3 (fetchmail-6.3.6) for [EMAIL PROTECTED] (single-drop); Sun, 28 Oct 2007 20:00:02 + (GMT) Received: from punt3.mail.demon.net by mailstore for [EMAIL PROTECTED] id 1ImEI0-2wQknw-02-9z1; Sun, 28 Oct 2007 19:59:16 + Received: from [194.217.242.223] (lhlo=lon1-hub.mail.demon.net) by punt3.mail.demon.net with lmtp id 1ImEI0-2wQknw-02 for [EMAIL PROTECTED]; Sun, 28 Oct 2007 19:59:16 + Received: from [211.115.216.222] (helo=mail-kr.bigfoot.com) by lon1-hub.mail.demon.net with smtp id 1ImEI0-0006nw-8M for [EMAIL PROTECTED]; Sun, 28 Oct 2007 19:59:16 + Date: Sun, 28 Oct 2007 15:59:42 -0400 From: Mail Delivery Subsystem [EMAIL PROTECTED] Message-Id: [EMAIL PROTECTED] To: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: multipart/report;
