Rick Macdougall wrote:
John Rudd wrote:
I've written a plugin for Spam Assassin that does the relay checks I
used to do in MimeDefang. The purpose of these checks is to try to
identify those messages that are likely to be coming directly (with no
intermediary mail server) from a zombie-bot, and are thus likely to be
spam (or maybe virus) content. It does this by looking at
characteristics of how ISPs and large networks tend to layout the
hostnames of their dynamic hosts and end clients. This includes:
1) no RDNS for the machines that aren't intended to talk to the
outside world
2) RDNS that doesn't lead back to a valid A record
3) RDNS that is forged (leads to an A record which doesn't resolve
back to the IP you started with)
4) Contains the hosts IP address within the hostname
5) Contains standard key words within the hostname (but not in the TLD
nor registered domain name), such as "dhcp", "dialup", "dial-up",
"dsl", etc.
From this, a score of 5 or 6 is generated (it's really 4+ number of
checks failed, but several of the checks are mutually exclusive).
This should be enough to flag the message for review/quarantine, but
not enough to automatically delete or reject the message (because none
of you are doing that at a score of 5 or 6, right? right.). Thus, a
false positive will merely result in a quarantine situation.
In my own results, I have seen this to be HIGHLY accurate. I have yet
to get a false positive ... but it has caught several types of spam
that other methods simply haven't been able to catch (or require
significant processing, such as OCR, to catch).
The two files you need (put them in /etc/mail/spamassassin ... or
wherever you want to put your plugins) are:
http://people.ucsc.edu/~jrudd/spamassassin/RelayChecker.cf
http://people.ucsc.edu/~jrudd/spamassassin/RelayChecker.pm
some notes:
1) I don't use Net::DNS for my checks, I use the built in perl get*
calls. Mostly because I haven't looked at Net::DNS yet. If someone
wanted to submit that code change to me, I'd gladly look at it. I'll
get to it eventually on my own, though (might as well; SA already uses
Net::DNS, right?).
2) This sort of replaces the other set of rules I created, that did
this with metarules instead of a plugin. This made some of the checks
less useful. You probably don't need to use both methods.
3) for those who object to SA checks that aren't purely about message
content, you wont like this plugin. It's about trying to remove a
class of sender (spambots, and mis-configured clients that aren't
using their own domain's mail server for outbound traffic), where that
class of sender is OVERWHELMINGLY likely to be generating spam. Just
like open relays are overwhelmingly likely to be generating spam. My
hope is that it may eliminate, or severely reduce, the spambot
problem: this is a feature of the sending machine that the spammer and
bot-master have _NO_ control over, so they can't adjust their content
nor behaviors to adapt to it. They would simply have to give up using
systems whose DNS configuration matche these tests.
So, if people could take a look at it, test it, see if it does what it
advertises, and see if it's as accurate as my experience indicates, I
would appreciate getting feedback. If it pans out, I'll see about
putting it in a tar ball, and submitting it to the wiki's list of
plugins.
Hi,
Right off the bat I've disabled it. It, of course, hits on all mail my
local users send. That's not really acceptable in an ISP situation so
I've turned it off until tomorrow when I have the time to look at the
code and see if I can disable the check for specific IP's or host names.
I can say it was hitting on a lot of spam that was passing through as
clean before, so there is quite a bit of merit to the idea. It would
just need the ability to ignore local clients.
Are those users on your trusted network? It should only be looking at
your first untrusted relay.
Though, if they're authenticated, I wouldn't mind trying to figure out
how to extract that from the information, and exempt those.
I could easily add a list of exemptions though.