Re: Problem with Botnet
John Rudd wrote: Federico Giannici wrote: John Rudd wrote: Federico Giannici wrote: I installed Botnet 0.6 with SA 3.1.7. It seems that it sees botnets where there aren't. Here it is an example: X-Spam-Status: No, score=5 required=8 tests=BAYES_00,BOTNET,BOTNET_CLIENT,BOTNET_CLIENTWORDS,BOTNET_IPINHOSTNAME,RCVD_IN_NJABL_DUL,RCVD_IN _SORBS_DUL Received: from galadriel.neomedia.it (galadriel.neomedia.it [195.103.207.9]) by arwen.neomedia.it (8.13.7/8.13.7) with ESMTP id kBE8jqVf015060 for <[EMAIL PROTECTED]>; Thu, 14 Dec 2006 09:45:55 +0100 (CET) Received: from Giuseppe (host189-198-static.104-80-b.business.telecomitalia.it [80.104.198.189]) by galadriel.neomedia.it (8.13.7/8.13.7) with SMTP id kBE8jp10017336 for <[EMAIL PROTECTED]>; Thu, 14 Dec 2006 09:45:51 +0100 (CET) Maybe it looked at the second Received? Is the first received a trusted IP addr? Yes, it is. Right now, Botnet doesn't look at the Trusted relays at all. It only looks at the untrusted relays. That's why it looked at the 2nd Received line instead of the 1st one. I'm considering a feature for the next Botnet version that is as follows: botnet_pass_trusted (any|public|private|none) with the following meanings: any) if there are _any_ Trusted relays, pass the message public) if any of the Trusted relays are public IPs, pass it private) if any of the Trusted relays are private IPs, pass it none) as now, don't even look at the Trusted relays, pass it "Private IPs" means the following IP address blocks: 127. 10. 172.(16-31). or 192.168. "Public IPs" means: any IP addresses that aren't private. And "pass the message" means "don't trigger any of botnet's tests". The configuration value will default to "public". (note: I don't know what SA does if the 5th or 6th relay down is a private/localhost relay ... because that's probably not "local", but a private relay that someone else used ... but, does SA list them in the trusted relays if you had just happened to list 127. in your trusted networks? That's why I'm differentiating between "any" and "public" ... I included "private" just for completeness, I don't expect anyone is actually going to want to use it) (why would you want to set it to "none"? in case your scanning host isn't your front line host, such as if you have MX hosts you don't control, but do "trust", you want Botnet to look past them when figuring out if this message came from a spambot. That's partially why I coded Botnet the way I did, but I've been considering that in most cases, you really want to know if the _immediate_ relay was a spambot, and if it came through a trusted relay, with a public IP address, anywhere along the line, then the immediate relay probably wasn't a spambot) I agree with this last sentence. Currently the Botnet is completely USELESS for me, I really need to actually TRUST the trusted relays! Eagerly waiting for the next release... ;-) Thanks. -- ___ __ |- [EMAIL PROTECTED] |ederico Giannici http://www.neomedia.it ___
Re: Problem with Botnet
Federico Giannici wrote: John Rudd wrote: Federico Giannici wrote: I installed Botnet 0.6 with SA 3.1.7. It seems that it sees botnets where there aren't. Here it is an example: X-Spam-Status: No, score=5 required=8 tests=BAYES_00,BOTNET,BOTNET_CLIENT,BOTNET_CLIENTWORDS,BOTNET_IPINHOSTNAME,RCVD_IN_NJABL_DUL,RCVD_IN _SORBS_DUL Received: from galadriel.neomedia.it (galadriel.neomedia.it [195.103.207.9]) by arwen.neomedia.it (8.13.7/8.13.7) with ESMTP id kBE8jqVf015060 for <[EMAIL PROTECTED]>; Thu, 14 Dec 2006 09:45:55 +0100 (CET) Received: from Giuseppe (host189-198-static.104-80-b.business.telecomitalia.it [80.104.198.189]) by galadriel.neomedia.it (8.13.7/8.13.7) with SMTP id kBE8jp10017336 for <[EMAIL PROTECTED]>; Thu, 14 Dec 2006 09:45:51 +0100 (CET) Maybe it looked at the second Received? Is the first received a trusted IP addr? Yes, it is. Right now, Botnet doesn't look at the Trusted relays at all. It only looks at the untrusted relays. That's why it looked at the 2nd Received line instead of the 1st one. I'm considering a feature for the next Botnet version that is as follows: botnet_pass_trusted (any|public|private|none) with the following meanings: any) if there are _any_ Trusted relays, pass the message public) if any of the Trusted relays are public IPs, pass it private) if any of the Trusted relays are private IPs, pass it none) as now, don't even look at the Trusted relays, pass it "Private IPs" means the following IP address blocks: 127. 10. 172.(16-31). or 192.168. "Public IPs" means: any IP addresses that aren't private. And "pass the message" means "don't trigger any of botnet's tests". The configuration value will default to "public". (note: I don't know what SA does if the 5th or 6th relay down is a private/localhost relay ... because that's probably not "local", but a private relay that someone else used ... but, does SA list them in the trusted relays if you had just happened to list 127. in your trusted networks? That's why I'm differentiating between "any" and "public" ... I included "private" just for completeness, I don't expect anyone is actually going to want to use it) (why would you want to set it to "none"? in case your scanning host isn't your front line host, such as if you have MX hosts you don't control, but do "trust", you want Botnet to look past them when figuring out if this message came from a spambot. That's partially why I coded Botnet the way I did, but I've been considering that in most cases, you really want to know if the _immediate_ relay was a spambot, and if it came through a trusted relay, with a public IP address, anywhere along the line, then the immediate relay probably wasn't a spambot)
Re: Problem with Botnet
John Rudd wrote: Federico Giannici wrote: I installed Botnet 0.6 with SA 3.1.7. It seems that it sees botnets where there aren't. Here it is an example: X-Spam-Status: No, score=5 required=8 tests=BAYES_00,BOTNET,BOTNET_CLIENT,BOTNET_CLIENTWORDS,BOTNET_IPINHOSTNAME,RCVD_IN_NJABL_DUL,RCVD_IN _SORBS_DUL Received: from galadriel.neomedia.it (galadriel.neomedia.it [195.103.207.9]) by arwen.neomedia.it (8.13.7/8.13.7) with ESMTP id kBE8jqVf015060 for <[EMAIL PROTECTED]>; Thu, 14 Dec 2006 09:45:55 +0100 (CET) Received: from Giuseppe (host189-198-static.104-80-b.business.telecomitalia.it [80.104.198.189]) by galadriel.neomedia.it (8.13.7/8.13.7) with SMTP id kBE8jp10017336 for <[EMAIL PROTECTED]>; Thu, 14 Dec 2006 09:45:51 +0100 (CET) Maybe it looked at the second Received? Is the first received a trusted IP addr? Yes, it is. Thanks. -- ___ __ |- [EMAIL PROTECTED] |ederico Giannici http://www.neomedia.it ___
Re: Problem with Botnet
Federico Giannici wrote: I installed Botnet 0.6 with SA 3.1.7. It seems that it sees botnets where there aren't. Here it is an example: X-Spam-Status: No, score=5 required=8 tests=BAYES_00,BOTNET,BOTNET_CLIENT,BOTNET_CLIENTWORDS,BOTNET_IPINHOSTNAME,RCVD_IN_NJABL_DUL,RCVD_IN _SORBS_DUL Received: from galadriel.neomedia.it (galadriel.neomedia.it [195.103.207.9]) by arwen.neomedia.it (8.13.7/8.13.7) with ESMTP id kBE8jqVf015060 for <[EMAIL PROTECTED]>; Thu, 14 Dec 2006 09:45:55 +0100 (CET) Received: from Giuseppe (host189-198-static.104-80-b.business.telecomitalia.it [80.104.198.189]) by galadriel.neomedia.it (8.13.7/8.13.7) with SMTP id kBE8jp10017336 for <[EMAIL PROTECTED]>; Thu, 14 Dec 2006 09:45:51 +0100 (CET) Maybe it looked at the second Received? Is the first received a trusted IP addr?
