Federico Giannici wrote:
> manu@... wrote:
> > Federico Giannici wrote:
> > > It try to identify the botnets by looking at the DNS information of the
> > > last relay.
> >
> > How does it works? regexp paterns for dynamic hosts? DNSRBL?
>
> It looks at the direct and reverse DNS informations of the last relay.
>
> Here it is part of the documentation.
> I found very interesting and effective the following rules: BOTNET_IPINHOSTNAME, BOTNET_NORDNS, BOTNET_CLIENTWORDS and BOTNET_SERVERWORDS.
In fact, I think the "SOHO" check is useful for automatic
whitelisting, and should be easy to implement. Quote:
> Rule: BOTNET_SOHO
> This rule checks to see if the relay is possibly a SOHO (small office,
> home office) mail server. In this case, the sender's mail domain is examined,
> and resolved. First an A record look up is done, and if the relay's IP
> address is found in the first 5, then BOTNET_SOHO hits. Second, the same
> check is done on the MX records for the domain, again limited to 5 records.
> These checks are limited to 5 records because a SOHO domain is not likely
> to have a large round-robin A record nor a large number of MX records. In
> order to avoid having this check used as a back-door by botnet coders, by
> using a throw-away sender domain that has all of its botnet hosts in the
> A records or MX records, BOTNET_SOHO only looks at 5 records.
In other words, this is what milter-greylist could do:
When a connection from 12.34.56.78 arrives and tries to
send mail from foo@..., then look at the A records
and MX records of bar.com. If one of them matches the
connecting IP (12.34.56.78), then the mail is not grey-
listed but whitelisted. It might also be useful to
combine that check with other ACLs.
The idea is that many small sites (e.g. soho) use the
same servers for incoming and outgoing mails, so the
MX record (or A record) of the domain is the same as
the one we receive their mail from.
Of course that rule doesn't guarantee that it's not spam,
but it's pretty certain that there's a real SMTP server
running on that machine, so it doesn't make sense to
greylist it (because it will resend anyway), and so the
mail shouldn't be delayed.
Emmanuel, what do you think?
Another thing is the "BOTNET_IPINHOSTNAME" check. It
does _not_ simply check whether the hostname matches a
regular expression that represents the IP number.
Instead, it checks if at least two octets from the
actual connecting IP address are contained in the
hostname (in decimal or hex). That should reduce
the number of false positives considerably, compared
to simple regular expressions.
For example, if the IP 12.34.56.78 connects, then check
if at least any two of the octets (12, 34, 56, 78 or
their hexadecimal equivalents) appear inside the host
name. I think the check could even be more tight by
checking for at least three octets instead of two.
Again ... what do you think? :-)
Best regards
Oliver
--
Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing
Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd
Any opinions expressed in this message may be personal to the author
and may not necessarily reflect the opinions of secnetix in any way.
"It combines all the worst aspects of C and Lisp: a billion different
sublanguages in one monolithic executable. It combines the power of C
with the readability of PostScript."
-- Jamie Zawinski, when asked: "What's wrong with perl?"Message
Re: [milter-greylist] BotNet plugin
2007-01-04 by Oliver Fromme