In what way is botnet not properly processing the headers in question?
Claude Frantz wrote:
Claude Frantz wrote:
The Botnet Plugin is not able to recognize the following sequence:
Another case:
Received: from OrangeSrv.rz.unibw-muenchen.de ([127.0.0.1])
by localhost (OrangeSrv.rz.unibw-muenchen.de [127.0.0.1]) (amavisd-new,
port 10024)
with LMTP id 12512-05 for <[EMAIL PROTECTED]>;
Tue, 5 Jun 2007 20:24:21 +0200 (CEST)
Received: from akx100.internetdsl.tpnet.pl (school-0.bts.net.pl
[81.210.26.53])
by OrangeSrv.rz.unibw-muenchen.de (8.13.7/8.13.7) with ESMTP id
l55IOHYs013110
for <[EMAIL PROTECTED]>; Tue, 5 Jun 2007 20:24:18
+0200
Received: from marcina-komp
by qlwc.com with ASMTP id 8CE3E668
for <[EMAIL PROTECTED]>; Tue, 5 Jun 2007 20:24:58
-0000
Received: from marcina-komp ([199.123.58.110])
by qlwc.com with ESMTP id 82A06E0E6EC7
for <[EMAIL PROTECTED]>; Tue, 5 Jun 2007 20:24:58
-0000
And here the debugging output from SA:
[29806] dbg: Botnet: checking baddns
[29806] dbg: Botnet: get_relay good RDNS
[29806] dbg: Botnet: IP is '81.210.26.53'
[29806] dbg: Botnet: RDNS is 'school-0.bts.net.pl'
[29806] dbg: Botnet: 'school-0.bts.net.pl' resolves
[29806] dbg: Botnet: 'school-0.bts.net.pl' matches '81.210.26.53'
[29806] dbg: Botnet: checking client words
[29806] dbg: Botnet: client words regexp
is(((\b|\d)cable(\b|\d))|((\b|\d)catv(\b|\d))|((\b|\d)ddns(\b|\d))|((\b|\d)dhcp(\b|\d))|((\b|\d)dial-?up(\b|\d))|((\b|\d)dip(\b|\d))|((\b|\d)(a|s|d(yn)?)?dsl(\b|\d))|((\b|\d)dynamic(\b|\d))|((\b|\d)modem(\b|\d))|((\b|\d)ppp(\b|\d))|((\b|\d)res(net|ident(ial)?)?(\b|\d))|((\b|\d)client(\b|\d))|((\b|\d)fixed(\b|\d))|((\b|\d)pool(\b|\d))|((\b|\d)static(\b|\d))|((\b|\d)user(\b|\d)))\S*\.\S+\.\S+$
[29806] dbg: Botnet: get_relay good RDNS
[29806] dbg: Botnet: IP is '81.210.26.53'
[29806] dbg: Botnet: RDNS is 'school-0.bts.net.pl'
[29806] dbg: Botnet: checking server words
[29806] dbg: Botnet: server words regexp
is(((\b|\d)mail(\b|\d))|((\b|\d)mta(\b|\d))|((\b|\d)mx(\b|\d))|((\b|\d)relay(\b|\d))|((\b|\d)smtp(\b|\d)))\S*\.\S+\.\S+$
[29806] dbg: Botnet: get_relay good RDNS
[29806] dbg: Botnet: IP is '81.210.26.53'
[29806] dbg: Botnet: RDNS is 'school-0.bts.net.pl'
[29806] dbg: Botnet: checking ip in hostname
[29806] dbg: Botnet: get_relay good RDNS
[29806] dbg: Botnet: IP is '81.210.26.53'
[29806] dbg: Botnet: RDNS is 'school-0.bts.net.pl'
[29806] dbg: Botnet: checking nordns
[29806] dbg: Botnet: get_relay good RDNS
[29806] dbg: Botnet: IP is '81.210.26.53'
[29806] dbg: Botnet: RDNS is 'school-0.bts.net.pl'