manu@... wrote:
>
>
> Federico Giannici <giannici@... <mailto:giannici%40neomedia.it>>
> wrote:
>
> > It try to identify the botnets by looking at the DNS information of the
> > last relay.
>
> How does it works? regexp paterns for dynamic hosts? DNSRBL?
It looks at the direct and reverse DNS informations of the last relay.
Here it is part of the documentation.
I found very interesting and effective the following rules: BOTNET_IPINHOSTNAME, BOTNET_NORDNS, BOTNET_CLIENTWORDS and BOTNET_SERVERWORDS.
Rule: BOTNET_NORDNS
The relay has no PTR record (no reverse dns). This rule does NOT incur
a DNS check, as Botnet obtains this invormation from the rdns= field in
SpamAssassin's Untrusted Relays pseudo-header.
Rule: BOTNET_BADDNS
The relay doesn't have a full circle DNS. Full circle DNS means that,
starting with the relay's IP address, going to its PTR record, and then
looking at the IPs returned from that hostname's A record, is the relay's
IP address in that group if addresses? If it isn't, then there's probably
a DNS forgery.
Note: BOTNET_BADDNS causes Botnet to do a DNS lookup. This can be time
consuming for your SpamAssassin Checks.
Rule: BOTNET_IPINHOSTNAME
Does the relay's hostname contain 2 or more octets of its IP address
within the hostname? They can be in decimal or hexadecimal format. Each
octet can have leading zeroes, or a single separator character.
Rule: BOTNET_CLIENTWORDS
Does the relay's hostname contain certain keywords that look like a
client hostname? They can be any keywords, but the included list is intended
to identify ISP end clients and dynamic workstations.
Rule: BOTNET_SERVERWORDS
Does the relay's hostname contain certain keywords that look like a mail
server hostname? They can be any keywords, but the included list is intended
to identify exceptions to the BOTNET_IPINHOSTNAME and BOTNET_CLIENTWORDS
checks, that might indicate they actually are legitimate mail servers.
Rule: BOTNET_CLIENT
This rule duplicates the checks in BOTNET_IPINHOSTNAME, BOTNET_CLIENTWORDS,
and BOTNET_SERVERWORDS to decide whether or not the hostname looks
like a client.
It is effectively (!serverwords && (iphostname || clientwords))
See Botnet.variants.txt for a way to replace this a meta rule.
Rule: BOTNET_SOHO
This rule checks to see if the relay is possibly a SOHO (small office,
home office) mail server. In this case, the sender's mail domain is examined,
and resolved. First an A record look up is done, and if the relay's IP
address is found in the first 5, then BOTNET_SOHO hits. Second, the same
check is done on the MX records for the domain, again limited to 5 records.
These checks are limited to 5 records because a SOHO domain is not likely
to have a large round-robin A record nor a large number of MX records. In
order to avoid having this check used as a back-door by botnet coders, by
using a throw-away sender domain that has all of its botnet hosts in the
A records or MX records, BOTNET_SOHO only looks at 5 records.
Rule: BOTNET
This rule duplicates the checks done by the above rules.
The intent is to flag a message automatically for quarantine or storage
in a spam folder if the message does have the fingerprints of a spambot
or virusbot, but does NOT have the fingerprints of a server.
It is effectively (!soho && (client || baddns || nordns))
See Botnet.variants.txt for a way to replace this with a meta rule, or
replace this with piece-meal rules.
Bye.
--
___________________________________________________
__
|- giannici@...
|ederico Giannici http://www.neomedia.it
___________________________________________________Message
Re: [milter-greylist] BotNet plugin
2006-12-25 by Federico Giannici