-----Original Message----- From: John Rudd [mailto:[EMAIL PROTECTED] Sent: Monday, October 30, 2006 6:23 PM To: SpamAssassin Users Subject: Relay Checker Plugin (code review please?)
I've written a plugin for Spam Assassin that does the relay checks I used to do in MimeDefang. The purpose of these checks is to try to identify those messages that are likely to be coming directly (with no intermediary mail server) from a zombie-bot, and are thus likely to be spam (or maybe virus) content. It does this by looking at characteristics of how ISPs and large networks tend to layout the hostnames of their dynamic hosts and end clients. This includes: 1) no RDNS for the machines that aren't intended to talk to the outside world 2) RDNS that doesn't lead back to a valid A record 3) RDNS that is forged (leads to an A record which doesn't resolve back to the IP you started with) 4) Contains the hosts IP address within the hostname 5) Contains standard key words within the hostname (but not in the TLD nor registered domain name), such as "dhcp", "dialup", "dial-up", "dsl", etc. From this, a score of 5 or 6 is generated (it's really 4+ number of checks failed, but several of the checks are mutually exclusive). This should be enough to flag the message for review/quarantine, but not enough to automatically delete or reject the message (because none of you are doing that at a score of 5 or 6, right? right.). Thus, a false positive will merely result in a quarantine situation. In my own results, I have seen this to be HIGHLY accurate. I have yet to get a false positive ... but it has caught several types of spam that other methods simply haven't been able to catch (or require significant processing, such as OCR, to catch). The two files you need (put them in /etc/mail/spamassassin ... or wherever you want to put your plugins) are: http://people.ucsc.edu/~jrudd/spamassassin/RelayChecker.cf http://people.ucsc.edu/~jrudd/spamassassin/RelayChecker.pm some notes: 1) I don't use Net::DNS for my checks, I use the built in perl get* calls. Mostly because I haven't looked at Net::DNS yet. If someone wanted to submit that code change to me, I'd gladly look at it. I'll get to it eventually on my own, though (might as well; SA already uses Net::DNS, right?). 2) This sort of replaces the other set of rules I created, that did this with metarules instead of a plugin. This made some of the checks less useful. You probably don't need to use both methods. 3) for those who object to SA checks that aren't purely about message content, you wont like this plugin. It's about trying to remove a class of sender (spambots, and mis-configured clients that aren't using their own domain's mail server for outbound traffic), where that class of sender is OVERWHELMINGLY likely to be generating spam. Just like open relays are overwhelmingly likely to be generating spam. My hope is that it may eliminate, or severely reduce, the spambot problem: this is a feature of the sending machine that the spammer and bot-master have _NO_ control over, so they can't adjust their content nor behaviors to adapt to it. They would simply have to give up using systems whose DNS configuration matche these tests. So, if people could take a look at it, test it, see if it does what it advertises, and see if it's as accurate as my experience indicates, I would appreciate getting feedback. If it pans out, I'll see about putting it in a tar ball, and submitting it to the wiki's list of plugins. John How would one adjust the score down for testing purposes? Dylan
