SpamAssassin
 » 
SpamAssassin - Users

 « Return to Thread: Botnet 0.8 Plugin is available (FINALLY!!!)

Botnet 0.8 Plugin is available (FINALLY!!!)

by John Rudd :: Rate this Message:

Reply to Author | View in Thread


Botnet 0.8 is up and available.  It took me a while (things have been
REALLY busy at work for the last 6 months), but it's there.

http://people.ucsc.edu/~jrudd/spamassassin/Botnet-0.8.tar


Botnet is a SpamAssassin plugin which attempts to identify hosts which
are likely to be spambot/virusbot hosts, using various DNS fingerprints
of the submitting relay.


What changed between 0.7 and 0.8:

     -- fixed unitialized $domain just before line 564
        (the ongoing bug that wasn't really affecting results, but did
give STDERR output every so often; was caused by a split() statement.)

     -- changed complex dsl clientword to .*dsl.*
        (too many variations of 'dsl' in hostnames, since it's word
bounded, the .*'s only match as far as the end of a word, so it's not
going to match _EVERYTHING_ under the sun, just every individual word
with dsl in it)

     -- changed ppp clienword to ppp(oe)?
        (for ppp over ethernet hosts)

     -- changed mx serverword to mx(pool)?
        (since it's word bounded, "mx" alone wasn't matching "mxpool")

     -- added bredband to clientwords
        (apparently a common foreign language clientword; I hadn't
noticed an false positives, so added it at someone's request ...
unfortunately, it was so long ago, that I don't remember who it was)


!!!!!!NOTE: BIG CHANGE ON SOHO CHECK!!!!!!

     -- allow HELO check in SOHO check

        (I used to be very against this, but I realized I already accept
SOHO for the sender's mail domain, which is just as much under the
control of the spammer as the HELO string.  I apply the same
requirements (mail-domain != hostname so HELO-string != hostname), but
if the HELO string does in fact resolve back to the IP address, I'll
grant the SOHO exemption.  This will probably mean you'll get fewer
Botnet hits, but hopefully it'll only be lowering false positives.)



There's not much in the way of major systemic changes here.  The code
for the HELO check had already been in there, just commented out.  So
that wasn't even a big change.  So I might be ready to go to 1.0 in the
not so distant future (and assuming I get time to stamp something a 1.0).


Thanks for everyone's patience.


 « Return to Thread: Botnet 0.8 Plugin is available (FINALLY!!!)

Free embeddable forum powered by Nabble Forum Help