« Return to Thread: Botnet 0.8 Plugin is available (FINALLY!!!)
Re: Botnet 0.8 Plugin is available (FINALLY!!!)
by Vernon Webb
::
Rate this Message:
I added this and everything came back labled as SPAM
---------- Original Message -----------
From: John Rudd <jrudd@...>
To: SpamAssassin Users <users@...>
Sent: Sun, 05 Aug 2007 19:39:07 -0700
Subject: Botnet 0.8 Plugin is available (FINALLY!!!)
> Botnet 0.8 is up and available. It took me a while (things have been
> REALLY busy at work for the last 6 months), but it's there.
>
> http://people.ucsc.edu/~jrudd/spamassassin/Botnet-0.8.tar
>
> Botnet is a SpamAssassin plugin which attempts to identify hosts which
> are likely to be spambot/virusbot hosts, using various DNS fingerprints
> of the submitting relay.
>
> What changed between 0.7 and 0.8:
>
> -- fixed unitialized $domain just before line 564
> (the ongoing bug that wasn't really affecting results, but did
> give STDERR output every so often; was caused by a split() statement.)
>
> -- changed complex dsl clientword to .*dsl.*
> (too many variations of 'dsl' in hostnames, since it's word
> bounded, the .*'s only match as far as the end of a word, so it's not
> going to match _EVERYTHING_ under the sun, just every individual word
> with dsl in it)
>
> -- changed ppp clienword to ppp(oe)?
> (for ppp over ethernet hosts)
>
> -- changed mx serverword to mx(pool)?
> (since it's word bounded, "mx" alone wasn't matching "mxpool")
>
> -- added bredband to clientwords
> (apparently a common foreign language clientword; I hadn't
> noticed an false positives, so added it at someone's request ...
> unfortunately, it was so long ago, that I don't remember who it was)
>
> !!!!!!NOTE: BIG CHANGE ON SOHO CHECK!!!!!!
>
> -- allow HELO check in SOHO check
>
> (I used to be very against this, but I realized I already accept
> SOHO for the sender's mail domain, which is just as much under the
> control of the spammer as the HELO string. I apply the same
> requirements (mail-domain != hostname so HELO-string != hostname), but
> if the HELO string does in fact resolve back to the IP address, I'll
> grant the SOHO exemption. This will probably mean you'll get fewer
> Botnet hits, but hopefully it'll only be lowering false positives.)
>
> There's not much in the way of major systemic changes here. The code
> for the HELO check had already been in there, just commented out. So
> that wasn't even a big change. So I might be ready to go to 1.0 in the
> not so distant future (and assuming I get time to stamp something a 1.0).
>
> Thanks for everyone's patience.
>
> --
> This message has been scanned for viruses and
> dangerous content and is believed to be clean.------- End of Original Message -------
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
---------- Original Message -----------
From: John Rudd <jrudd@...>
To: SpamAssassin Users <users@...>
Sent: Sun, 05 Aug 2007 19:39:07 -0700
Subject: Botnet 0.8 Plugin is available (FINALLY!!!)
> Botnet 0.8 is up and available. It took me a while (things have been
> REALLY busy at work for the last 6 months), but it's there.
>
> http://people.ucsc.edu/~jrudd/spamassassin/Botnet-0.8.tar
>
> Botnet is a SpamAssassin plugin which attempts to identify hosts which
> are likely to be spambot/virusbot hosts, using various DNS fingerprints
> of the submitting relay.
>
> What changed between 0.7 and 0.8:
>
> -- fixed unitialized $domain just before line 564
> (the ongoing bug that wasn't really affecting results, but did
> give STDERR output every so often; was caused by a split() statement.)
>
> -- changed complex dsl clientword to .*dsl.*
> (too many variations of 'dsl' in hostnames, since it's word
> bounded, the .*'s only match as far as the end of a word, so it's not
> going to match _EVERYTHING_ under the sun, just every individual word
> with dsl in it)
>
> -- changed ppp clienword to ppp(oe)?
> (for ppp over ethernet hosts)
>
> -- changed mx serverword to mx(pool)?
> (since it's word bounded, "mx" alone wasn't matching "mxpool")
>
> -- added bredband to clientwords
> (apparently a common foreign language clientword; I hadn't
> noticed an false positives, so added it at someone's request ...
> unfortunately, it was so long ago, that I don't remember who it was)
>
> !!!!!!NOTE: BIG CHANGE ON SOHO CHECK!!!!!!
>
> -- allow HELO check in SOHO check
>
> (I used to be very against this, but I realized I already accept
> SOHO for the sender's mail domain, which is just as much under the
> control of the spammer as the HELO string. I apply the same
> requirements (mail-domain != hostname so HELO-string != hostname), but
> if the HELO string does in fact resolve back to the IP address, I'll
> grant the SOHO exemption. This will probably mean you'll get fewer
> Botnet hits, but hopefully it'll only be lowering false positives.)
>
> There's not much in the way of major systemic changes here. The code
> for the HELO check had already been in there, just commented out. So
> that wasn't even a big change. So I might be ready to go to 1.0 in the
> not so distant future (and assuming I get time to stamp something a 1.0).
>
> Thanks for everyone's patience.
>
> --
> This message has been scanned for viruses and
> dangerous content and is believed to be clean.
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
« Return to Thread: Botnet 0.8 Plugin is available (FINALLY!!!)
| Free embeddable forum powered by Nabble | Forum Help |
