sent to
the other MTA from a dial-up address, and Botnet catched it. This skip
thing only seems to use the next IP address it finds, which is the
sender's one and that is most often a dynamic address.
Anyway, are there alternative recommendations that I could use instead
of the Botnet plugi
On Mon, 20 Sep 2010 20:03:43 +0200
Yves Goergen wrote:
> I'm currently testing a rather simple fix: I've added the following
> line to Botnet.cf to ignore anything from IPv6 (hope it works):
Alternately you can do this by rewriting the BOTNET rule as a
metarule (see Botnet.variants.txt) and
Hi there,
I've been upgrading to IPv6 yesterday and needed to find out that the
Botnet plugin causes false positives on every message that comes in from
an IPv6 address. The only information that I've found on that was a
thread from January 2010 [1] that contains some debug output a
John Hardin wrote on Mon, 22 Mar 2010 10:47:35 -0700 (PDT):
> How do you reject mail from a non-static IP without doing a DNSBL lookup
> (e.g. Zen)?
we are talking about lookups from SA here ;-) And these you can disable if
you reject such mail, anyway.
Kai
--
Get your web at Conactive Inter
nowadays. If
you combine this with John Hardin's suggestion you don't need the botnet
plugin or do RBL lookups for these clients at all (I guess you would
need a new plugin for this, though).
How do you reject mail from a non-static IP without doing a DNSBL lookup
(e.g. Zen)?
h John Hardin's suggestion you don't need the botnet
plugin or do RBL lookups for these clients at all (I guess you would need
a new plugin for this, though).
Kai
--
Get your web at Conactive Internet Services: http://www.conactive.com
On Mon, 22 Mar 2010 10:51:20 -0400
micah anderson wrote:
> Yeah, I've been having problems recently which I think are related to
> me using both Zen/PBL along with the Botnet plugin weighted to score
> level 5, even if I were to have it lower at 3 it would still be too
> much.
micah anderson wrote:
Yeah, I've been having problems recently which I think are related to me
using both Zen/PBL along with the Botnet plugin weighted to score level
5, even if I were to have it lower at 3 it would still be too much.
Are you using the PBL appropriately?
On Mon, 22 Mar 2010, micah anderson wrote:
Many users are complaining and when I finally get some useful messages
with headers to analyze I am finding something like the following:
X-Spam-Report:
* 3.3 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL
* [213.6.61.151 l
On Mon, Mar 22, 2010 at 07:51, micah anderson wrote:
> From a user who has unfortunately been saddled with a dynamic IP that
> previously was used by a spammer. No amount of explanation to these
> users about this is going to assuage their feelings, and there isn't
> really anything that can be d
hings coming
>> from that class of hosts, so if you don't use one, I'd definitely
>> recommend using the other.
>
> Yeah, I've been having problems recently which I think are related to me
> using both Zen/PBL along with the Botnet plugin weighted to score level
>
recommend using the other.
Yeah, I've been having problems recently which I think are related to me
using both Zen/PBL along with the Botnet plugin weighted to score level
5, even if I were to have it lower at 3 it would still be too much.
Many users are complaining and when I finally get so
On Wed, 17 Mar 2010 17:34:08 -0400
Micah Anderson wrote:
>
> Hi,
>
> I've been using the Botnet plugin version 0.8 for some time now, and
> the plugin itself has been around since 2003 or so. I'm just curious
> to test the waters and see what other's think abou
nd/or Zen, as to whether or
not you need Botnet. But, there are still plenty of things coming
from that class of hosts, so if you don't use one, I'd definitely
recommend using the other.
John Rudd
On Wed, Mar 17, 2010 at 14:34, Micah Anderson wrote:
>
> Hi,
>
> I've
Hi,
I've been using the Botnet plugin version 0.8 for some time now, and the
plugin itself has been around since 2003 or so. I'm just curious to test
the waters and see what other's think about the relevance in 2010 of
this plugin. Does it still contribute in positive ways to y
On Mon, Jun 8, 2009 at 16:31, alexus wrote:
> whats botnet plugin?
It's a SpamAssassin plugin looks at DNS configurations and attempts to
identify hosts that are probably actually clients that are sending
email directly to your server, instead of through their own mail
server.
There&
whats botnet plugin?
On Mon, Jun 8, 2009 at 7:23 PM, John Rudd wrote:
> On Mon, Jun 8, 2009 at 09:55, Jari Fredriksson wrote:
>>> The BOTNET plugin isn't covered in the CustomPlugins wiki
>>> page. When I Googled it I found this:
>>>
>>> http://pe
On Mon, Jun 8, 2009 at 09:55, Jari Fredriksson wrote:
>> The BOTNET plugin isn't covered in the CustomPlugins wiki
>> page. When I Googled it I found this:
>>
>> http://people.ucsc.edu/~jrudd/spamassassin/Botnet.tar
>>
>> but it's a bit old. Is there
> The BOTNET plugin isn't covered in the CustomPlugins wiki
> page. When I Googled it I found this:
>
> http://people.ucsc.edu/~jrudd/spamassassin/Botnet.tar
>
> but it's a bit old. Is there a later version?
That's 0.8 which is AFAIK the latest.
The BOTNET plugin isn't covered in the CustomPlugins wiki page. When I
Googled it I found this:
http://people.ucsc.edu/~jrudd/spamassassin/Botnet.tar
but it's a bit old. Is there a later version?
On Sun, January 18, 2009 19:03, mouss wrote:
> This may not be a problem for you, but other people may want to
> score if PTR is dynamic (even if helo is not).
and reject in mta if both is dynamic :)
--
Benny Pedersen
Need more webspace ? http://www.servage.net/?coupon=cust37098
Henrik K a écrit :
> On Sun, Jan 18, 2009 at 03:45:25PM +0100, mouss wrote:
>> Henrik K a écrit :
>[snip]
>>> Less info only if you are running a sad MTA, that doesn't properly resolve.
>> not completely true.
>>
>> $ host 220.174.1.163
>> 163.1.174.220.in-addr.arpa domain name pointer
>> 163.1.174
On Sun, Jan 18, 2009 at 03:45:25PM +0100, mouss wrote:
> Henrik K a écrit :
> > On Fri, Jan 16, 2009 at 01:52:46PM +0100, Jonas Eckerman wrote:
> >> Benny Pedersen wrote:
> >>
> >>> i have changed to use BadRelay from
> >>> http://sa.hege.li/BadRelay.pm
> >>> http://sa.hege.li/BadRelay.cf
> >> Afte
Henrik K a écrit :
> On Fri, Jan 16, 2009 at 01:52:46PM +0100, Jonas Eckerman wrote:
>> Benny Pedersen wrote:
>>
>>> i have changed to use BadRelay from
>>> http://sa.hege.li/BadRelay.pm
>>> http://sa.hege.li/BadRelay.cf
>> After reading BadRelay.pm I see that it does not really replace Botnet.
>>
Henrik K wrote:
Less info only if you are running a sad MTA, that doesn't properly resolve.
I guess the SOHO rule is exception,
That was what I meant. :-)
Check for IP in hostname? Does anyone have actual stats, that it's somehow
better than a generic \d+-\d+ regex or whatever? Sometimes it'
On Fri, Jan 16, 2009 at 01:52:46PM +0100, Jonas Eckerman wrote:
> Benny Pedersen wrote:
>
>> i have changed to use BadRelay from
>
>> http://sa.hege.li/BadRelay.pm
>> http://sa.hege.li/BadRelay.cf
>
> After reading BadRelay.pm I see that it does not really replace Botnet.
>
> Some of the difference
Mark Martinec wrote:
In a while I'll send a patch to the author.
That is noble, but apparently it doesn't have any effect.
When Botnet was known as RelayChecker I made a suggestion to the
author. That suggestion was incorporated in the code.
For some reason I take that as an indicator th
Benny Pedersen wrote:
i have changed to use BadRelay from
http://sa.hege.li/BadRelay.pm
http://sa.hege.li/BadRelay.cf
After reading BadRelay.pm I see that it does not really replace
Botnet.
Some of the differences in what is checked are due to Botnet
doing DNS-lookups while BadRelay avo
On Thu, Jan 15, 2009 at 09:06, Mark Martinec wrote:
> Jonas,
>
>> I just found one reason for FPs in the Botnet plugin. It doesn't
>> make a difference between timeouts (and other DNS errors) and
>> negative answers. So if your DNS server/proxy is overloaded (or
I'll incorporate this into the next version. Thanks :-)
On Thu, Jan 15, 2009 at 12:47, Jonas Eckerman wrote:
> Hello!
>
> Here's a small patch for the Botnet plugin.
>
> The difference from the original is that it doesn't treat a timeout or DNS
> error the
Hello!
Here's a small patch for the Botnet plugin.
The difference from the original is that it doesn't treat a
timeout or DNS error the same as a not found answer. This should
avoid FPs due to overloaded or s,low DNS responsesn.
This patch is against a version that hjas all
On Thu, January 15, 2009 18:06, Mark Martinec wrote:
> Not to forget the long-standing DNS problem with Botnet:
> http://marc.info/?l=spamassassin-users&m=118641079630268
> http://marc.info/?l=spamassassin-users&m=120783518919154
i have changed to use BadRelay from
http://sa.hege.li/BadRela
Jonas,
> I just found one reason for FPs in the Botnet plugin. It doesn't
> make a difference between timeouts (and other DNS errors) and
> negative answers. So if your DNS server/proxy is overloaded (or
> slow for some other reason), you'll get FPs
>
> Since 1
>
> I just found one reason for FPs in the Botnet plugin. It
> doesn't make a difference between timeouts (and other DNS
> errors) and negative answers. So if your DNS server/proxy is
> overloaded (or slow for some other reason), you'll get FPs
>
> Sinc
Daniel J McDonald wrote:
I too found botnet to be a great source of FP. By combining it with p0f
it's moderately useful.
I just found one reason for FPs in the Botnet plugin. It doesn't
make a difference between timeouts (and other DNS errors) and
negative answers. So if your
t; To: users@spamassassin.apache.org
> Subject: What is current version of Botnet plugin?
>
> I've found Botnet 0.6 and references to Botnet 0.8(ebuild).
> What's the preferred version for this plugin?
>
**
I've found Botnet 0.6 and references to Botnet 0.8(ebuild). What's the
preferred version for this plugin?
Hi,
what's the current status of the Botnet plugin for SpamAssassin? I used
it in my old SA 3.1.8 and think it was doing a good job. I heard that it
should be part of SA now, but I couldn't find it by grepping the default
rule files. Nor did I find it at SARE or elsewhere on the
John Rudd wrote:
In my opinion, the Botnet plugin should recognize that as botnet, but
I could be wrong.
Botnet is looking for hosts whose DNS looks like a dynamic or dial-up
customer. So, if the host has no reverse DNS, the reverse DNS doesn't
match forward DNS, or the forwar
look it up in the docs. I don't remember
off the top of my head what the exact name and location of the perl hash is.
Claude Frantz wrote:
The Botnet Plugin is not able to recognize the following sequence:
In my opinion, the Botnet plugin should recognize that as botnet, but I
cou
Daniel J McDonald schrieb:
On Fri, 2007-06-08 at 14:53 +0200, arni wrote:
Can you tell me what you thin i'm doing wrong?
[EMAIL PROTECTED] Desktop]$ host 87.118.96.151
151.96.118.87.in-addr.arpa domain name pointer
ns.rds27912.i4e-server.de.
[EMAIL PROTECTED] Desktop]$ host ns.rds27912
Heute (08.06.2007/14:34 Uhr) schrieb arni,
> Where do i find this botnet plugin?
> arni
http://people.ucsc.edu/~jrudd/spamassassin/
--
Viele Gruesse, Kind regards,
Jim Knuth
[EMAIL PROTECTED]
ICQ #277289867
--
Zufalls-Zitat
--
Schwerere als Luft? Flugmaschine
Claude Frantz schrieb:
Hi. This is the qmail-send program at rds27912.i4e-server.de.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.
<[EMAIL PROTECTED]>:
137.193.10.37 does not like recipient.
Remote
Where do i find this botnet plugin?
arni
;
[21114] dbg: Botnet: RDNS is 'ludwik.warynski.net'
However, one thing to recognize is that botnet does not parse the
Received headers themselves. Spam Assassin does, and puts them into
psuedoheaders. Those pseudoheaders are what botnet processes.
What exactly contain the pseu
Botnet Plugin is not able to recognize the following sequence:
Received: from ludwik.warynski.net (ludwik.warynski.net [195.82.166.1])
by BlueSrv.rz.unibw-muenchen.de (8.12.11.20060308/8.12.11) with
ESMTP id l55L66tA013532
for <[EMAIL PROTECTED]>; Tue, 5 Jun 2007
23:06:07
In what way is botnet not properly processing the headers in question?
Claude Frantz wrote:
Claude Frantz wrote:
The Botnet Plugin is not able to recognize the following sequence:
Another case:
Received: from OrangeSrv.rz.unibw-muenchen.de ([127.0.0.1])
by localhost (OrangeSrv.rz.unibw
Claude Frantz wrote:
The Botnet Plugin is not able to recognize the following sequence:
Another case:
Received: from OrangeSrv.rz.unibw-muenchen.de ([127.0.0.1])
by localhost (OrangeSrv.rz.unibw-muenchen.de [127.0.0.1])
(amavisd-new, port 10024)
with LMTP id 12512-05 for <[EM
The Botnet Plugin is not able to recognize the following sequence:
Received: from ludwik.warynski.net (ludwik.warynski.net [195.82.166.1])
by BlueSrv.rz.unibw-muenchen.de (8.12.11.20060308/8.12.11) with
ESMTP id l55L66tA013532
for <[EMAIL PROTECTED]>; Tue, 5 Jun 2007
23
Kevin W. Gagel schrieb:
Matthias,
Worked fine for me. Try it again if it still doesn't work for you - I've
uploaded a copy to my public share at:
http://mail.cnc.bc.ca/users/gagel/Botnet.tar
Thx alot. It was a temporarily problem, it is good to have an
alternative download location.
I'll k
>
To: SpamAssassin
Subject: Botnet Plugin Download Link?
Date: Fri, 11 May 2007 09:59:11 +0200
>Hello!
>
>http://people.ucsc.edu/~jrudd/spamassassin/Botnet.tar
>
>link seems to be dead, since John Rudd is not listed at people, the link
>perhaps moved?
>
>Any tips?
>
&g
Matthias Haegele wrote:
Hello!
http://people.ucsc.edu/~jrudd/spamassassin/Botnet.tar
link seems to be dead, since John Rudd is not listed at people, the link
perhaps moved?
Any tips?
That's still the right/current URL.
Just looks like people.ucsc.edu might be down right now.
Hello!
http://people.ucsc.edu/~jrudd/spamassassin/Botnet.tar
link seems to be dead, since John Rudd is not listed at people, the link
perhaps moved?
Any tips?
--
Grüsse/Greetings
MH
Dont send mail to: [EMAIL PROTECTED]
--
On Thu, 25 Jan 2007, Jason Little wrote:
>
> I was wondering about the maturity of the botnet plugin and where I can get
> my hands on it again. I used an early version of it for a while but I
> removed it because we didn't really need it and now it seems I need it again
> w
I was wondering about the maturity of the botnet plugin and where I can get
my hands on it again. I used an early version of it for a while but I
removed it because we didn't really need it and now it seems I need it again
with all the spammers finding a way to slip a 3.7 acore by spamass
I'm going to release 0.6 on Thursday or Friday. It will only have the
following changes:
1) a typo in the .txt file.
2) I figured out how to get the long package name (
Mail::SpamAssassin::Plugin::Botnet ) to work.
3) A coworker found a genuine bug in the IP-in-Hostname check (it would
Rosenbaum, Larry M. wrote:
From: Dennis Davis [mailto:[EMAIL PROTECTED]
...
Question 2: someone asked why my module is "Botnet" instead of
"Mail::SpamAssassin::Plugin::Botnet". The answer is: when I
first started this (and this is/was my first SA Plugin authoring
attempt), I tried that and it
John Rudd wrote:
> Question 2: someone asked why my module is "Botnet" instead of
> "Mail::SpamAssassin::Plugin::Botnet". The answer is: when I first
> started this (and this is/was my first SA Plugin authoring attempt), I
> tried that and it didn't work.
I just tested this, and it works perfe
> From: Dennis Davis [mailto:[EMAIL PROTECTED]
> ...
>
> > Question 2: someone asked why my module is "Botnet" instead of
> > "Mail::SpamAssassin::Plugin::Botnet". The answer is: when I
> > first started this (and this is/was my first SA Plugin authoring
> > attempt), I tried that and it didn't w
On Thu, 30 Nov 2006, Jonas Eckerman wrote:
> John Rudd wrote:
>
> > Question 1: Someone suggested that, for botnet_pass_domains, I not
> > re-invent the wheel. SA already has several whitelist options
> > (whitelist* and sare_whitelist* were specifically mentioned). They
> > suggested that I
John Rudd wrote the following on 11/30/2006 9:26 AM -0800:
Jonas Eckerman wrote:
John Rudd wrote:
Question 2: someone asked why my module is "Botnet" instead of
"Mail::SpamAssassin::Plugin::Botnet". The answer is: when I first
started this (and this is/was my first SA Plugin authoring attempt
Jonas Eckerman wrote:
John Rudd wrote:
Question 2: someone asked why my module is "Botnet" instead of
"Mail::SpamAssassin::Plugin::Botnet". The answer is: when I first
started this (and this is/was my first SA Plugin authoring attempt), I
tried that and it didn't work.
That's odd. What erro
question is:
Personally, I prefer to have a plugin be aböe to function independantly from
other addons (such as sare whitelists).
(I don't use ordinary whitelist commands in SA (when I whitelist something, I
do it so that the filkter wiull not call SA at all).)
Does the Botnet plugin really nee
John Rudd wrote:
> Question 2: someone asked why my module is "Botnet" instead of
> "Mail::SpamAssassin::Plugin::Botnet". The answer is: when I first
> started this (and this is/was my first SA Plugin authoring attempt), I
> tried that and it didn't work.
That's odd. What errors did you get?
> Question 2: someone asked why my module is "Botnet" instead of
> "Mail::SpamAssassin::Plugin::Botnet". The answer is: when I first
> started this (and this is/was my first SA Plugin authoring
> attempt), I
> tried that and it didn't work. If someone wants to look at it, and
> figure out how to
On Thu, 30 Nov 2006, John Rudd wrote:
> From: John Rudd <[EMAIL PROTECTED]>
> To: users@spamassassin.apache.org,
> CommuniGate Pro Discussions <[EMAIL PROTECTED]>,
> MailScanner discussion <[EMAIL PROTECTED]>
> Date: Thu, 30 Nov 2006 04:06:55 -0800
>
John,
> a) do any of them have a small enough value that they wouldn't counter
> botnet's default score of 5? Meaning, if I "do nothing" with respect to
> those other whitelist mechanisms, they'll still "do the right thing" and
> let the botnet hosts through, right?
Not by default, although I se
Suggestion:
Rename your plugin to "AntiBotnet"
(or something like that)
Otherwise, I could see someone getting the "good guys" and "bad guys" mixed
up when reading or hearing about this!
Rob McEwen
Things I'm putting into the new Botnet version (which will be 0.5):
1) someone noticed that some MTA's (specifically CommuniGate Pro) don't
put the relay's RDNS into the Received headers, and thus Botnet 0.4
always triggered "NORDNS" when run on that MTA. In the new version, if
Botnet finds
69 matches
Mail list logo
