Re: Botnet Plugin

Wed, 06 Jun 2007 20:11:03 -0700 


In what way is botnet not properly processing the headers in question?


Claude Frantz wrote:

Claude Frantz wrote:


The Botnet Plugin is not able to recognize the following sequence:


Another case:

Received: from OrangeSrv.rz.unibw-muenchen.de ([127.0.0.1])
by localhost (OrangeSrv.rz.unibw-muenchen.de [127.0.0.1]) (amavisd-new, port 10024) 
 with LMTP id 12512-05 for <[EMAIL PROTECTED]>;
 Tue,  5 Jun 2007 20:24:21 +0200 (CEST)
Received: from akx100.internetdsl.tpnet.pl (school-0.bts.net.pl [81.210.26.53]) by OrangeSrv.rz.unibw-muenchen.de (8.13.7/8.13.7) with ESMTP id l55IOHYs013110 for <[EMAIL PROTECTED]>; Tue, 5 Jun 2007 20:24:18 +0200 
Received: from marcina-komp
        by qlwc.com with ASMTP id 8CE3E668
for <[EMAIL PROTECTED]>; Tue, 5 Jun 2007 20:24:58 -0000 
Received: from marcina-komp ([199.123.58.110])
        by qlwc.com with ESMTP id 82A06E0E6EC7
for <[EMAIL PROTECTED]>; Tue, 5 Jun 2007 20:24:58 -0000 

And here the debugging output from SA:

[29806] dbg: Botnet: checking baddns
[29806] dbg: Botnet: get_relay good RDNS
[29806] dbg: Botnet: IP is '81.210.26.53'
[29806] dbg: Botnet: RDNS is 'school-0.bts.net.pl'
[29806] dbg: Botnet: 'school-0.bts.net.pl' resolves
[29806] dbg: Botnet: 'school-0.bts.net.pl' matches '81.210.26.53'
[29806] dbg: Botnet: checking client words
[29806] dbg: Botnet: client words regexp is(((\b|\d)cable(\b|\d))|((\b|\d)catv(\b|\d))|((\b|\d)ddns(\b|\d))|((\b|\d)dhcp(\b|\d))|((\b|\d)dial-?up(\b|\d))|((\b|\d)dip(\b|\d))|((\b|\d)(a|s|d(yn)?)?dsl(\b|\d))|((\b|\d)dynamic(\b|\d))|((\b|\d)modem(\b|\d))|((\b|\d)ppp(\b|\d))|((\b|\d)res(net|ident(ial)?)?(\b|\d))|((\b|\d)client(\b|\d))|((\b|\d)fixed(\b|\d))|((\b|\d)pool(\b|\d))|((\b|\d)static(\b|\d))|((\b|\d)user(\b|\d)))\S*\.\S+\.\S+$ 
[29806] dbg: Botnet: get_relay good RDNS
[29806] dbg: Botnet: IP is '81.210.26.53'
[29806] dbg: Botnet: RDNS is 'school-0.bts.net.pl'
[29806] dbg: Botnet: checking server words
[29806] dbg: Botnet: server words regexp is(((\b|\d)mail(\b|\d))|((\b|\d)mta(\b|\d))|((\b|\d)mx(\b|\d))|((\b|\d)relay(\b|\d))|((\b|\d)smtp(\b|\d)))\S*\.\S+\.\S+$ 
[29806] dbg: Botnet: get_relay good RDNS
[29806] dbg: Botnet: IP is '81.210.26.53'
[29806] dbg: Botnet: RDNS is 'school-0.bts.net.pl'
[29806] dbg: Botnet: checking ip in hostname
[29806] dbg: Botnet: get_relay good RDNS
[29806] dbg: Botnet: IP is '81.210.26.53'
[29806] dbg: Botnet: RDNS is 'school-0.bts.net.pl'
[29806] dbg: Botnet: checking nordns
[29806] dbg: Botnet: get_relay good RDNS
[29806] dbg: Botnet: IP is '81.210.26.53'
[29806] dbg: Botnet: RDNS is 'school-0.bts.net.pl'

Reply via email to