Federico Giannici wrote:
John Rudd wrote:
Federico Giannici wrote:
I installed Botnet 0.6 with SA 3.1.7.
It seems that it sees botnets where there aren't.
Here it is an example:
X-Spam-Status: No, score=5 required=8
tests=BAYES_00,BOTNET,BOTNET_CLIENT,BOTNET_CLIENTWORDS,BOTNET_IPINHOSTNAME,RCVD_IN_NJABL_DUL,RCVD_IN
_SORBS_DUL
Received: from galadriel.neomedia.it (galadriel.neomedia.it
[195.103.207.9])
by arwen.neomedia.it (8.13.7/8.13.7) with ESMTP id kBE8jqVf015060
for <[EMAIL PROTECTED]>; Thu, 14 Dec 2006 09:45:55
+0100 (CET)
Received: from Giuseppe
(host189-198-static.104-80-b.business.telecomitalia.it [80.104.198.189])
by galadriel.neomedia.it (8.13.7/8.13.7) with SMTP id
kBE8jp10017336
for <[EMAIL PROTECTED]>; Thu, 14 Dec 2006 09:45:51
+0100 (CET)
Maybe it looked at the second Received?
Is the first received a trusted IP addr?
Yes, it is.
Right now, Botnet doesn't look at the Trusted relays at all. It only
looks at the untrusted relays. That's why it looked at the 2nd Received
line instead of the 1st one.
I'm considering a feature for the next Botnet version that is as follows:
botnet_pass_trusted (any|public|private|none)
with the following meanings:
any) if there are _any_ Trusted relays, pass the message
public) if any of the Trusted relays are public IPs, pass it
private) if any of the Trusted relays are private IPs, pass it
none) as now, don't even look at the Trusted relays, pass it
"Private IPs" means the following IP address blocks:
127. 10. 172.(16-31). or 192.168.
"Public IPs" means: any IP addresses that aren't private.
And "pass the message" means "don't trigger any of botnet's tests".
The configuration value will default to "public".
(note: I don't know what SA does if the 5th or 6th relay down is a
private/localhost relay ... because that's probably not "local", but a
private relay that someone else used ... but, does SA list them in the
trusted relays if you had just happened to list 127. in your trusted
networks? That's why I'm differentiating between "any" and "public" ...
I included "private" just for completeness, I don't expect anyone is
actually going to want to use it)
(why would you want to set it to "none"? in case your scanning host
isn't your front line host, such as if you have MX hosts you don't
control, but do "trust", you want Botnet to look past them when figuring
out if this message came from a spambot. That's partially why I coded
Botnet the way I did, but I've been considering that in most cases, you
really want to know if the _immediate_ relay was a spambot, and if it
came through a trusted relay, with a public IP address, anywhere along
the line, then the immediate relay probably wasn't a spambot)
