John Rudd wrote:
New things:
1) BOTNET_SOHO -- If the sender's (chosen from Envelope-From,
Return-Path, or From, in that order) mail domain (the part after the @
sign) resolves back to the relay's IP address, or has an MX host which
resolves back to the IP address, AND the sender's mail domain does NOT
match the PTR record for the relay, then we'll assume this is a "small
office/home office" mail server. We'll exempt them from BOTNET being
triggered. (note: someone suggested that this check also try to
resolve the HELO string, I make a note in my code as to why this is an
extremely bad idea, and have a commented out block of code there for
anyone who wants to go down that path ... but, really, don't)
2) Botnet API -- want to include the Botnet.pm module in other Perl
code? Maybe call "check_botnet" from mimedefang-filter so you can
block before a message gets to SpamAssassin? I've made an API for
it. The routines that SA calls use this API, so it's the _exact_same_
code. There's now an included perl program "Botnet.pl" which takes an
IP address CLI argument, and an optional main-domain CLI argument. It
will tell you which rules do and don't get triggered. It also serves
as an example of using the API. (you will still need to have
SpamAssassin installed in order to use Botnet.pm in this fashion, even
if you're using the API in a program that doesn't call SA)
3) BOTNET_CLIENT and BOTNET are now actual rules instead of meta
rules. The individual rules are still there, just with zero'd
scores. You can now easily pick between 1 big rule (BOTNET doing
eval:botnet()), meta rules (detailed in the file
Botnet.variations.txt), or piece-meal calling of the individual checks
(also detailed in Botnet.variations.txt).
4) config option: botnet_pass_trusted (all|public|private|ignore)
This defaults to "public". If you have any public IP addresses in
your relays-trusted list, then Botnet wont trigger. Private means
"any private IP addresses", where that includes 127.*, 10.*, etc..
All means either of those two. Ignore means "do what Botnet used to
do: not even look at the trusted relays, just look past them". The
idea is: if you got this from a trusted relay, we can assume it wasn't
a Botnet.
5) botnet_pass_auth now looks at the trusted relays. It probably
should have been doing that all along. It no longer looks at the
untrusted relays.
6) Rules that get triggered now use $permsgstatus->test_log to record
information. The individual rules just list
"[rulename,ip=$ip,hostname=$host,maildomain=$domain]" or an
appropriate subset of that based on which rule it is. BOTNET_CLIENT
and BOTNET also include a list of sub-rule names that were triggered.
So, you might see this:
[botnet,ip=1.2.3.4,host=dsl-1-2-3-4.isp.net,domain=spammer.com,baddns,ipinhostname,clientwords,client]
or
[botnet_nordns,ip=2.3.4.5]
or
[botnet_soho,ip=3.4.5.6,hostname=3.4.5.6.isp.net,maildomain=non-spammer-soho.org]
(once I'm more comfortable with the output, I'll probably take out the
leading rule name, but for now, I'm keeping it there)
7) shawcable.net and ocn.ne.jp seem to also be botnet sources, but
their hostnames don't fit any of my other patterns. Luckily, they DO
fit some pattern, and it's simple enough to not need a code based
rule, just a regular conventional expression based rule. I've created
BOTNET_SHAWCABLE and BOTNET_OCNNEJP rules to cover these two.
8) The file Botnet.variations.txt exists now with different suggested
alternative ways to do Botnet rules.
9) Botnet.credits.txt exists, but is far from complete.
I think that's everything...
Just need another day or two of testing before I release it.
out of curiosity, which release branches of SA is supported with this
plugin? the 3.1.x & 3.0.x or just the 3.1.x?
