Hosting Provided By

Re: Botnet 0.8 Plugin is available (FINALLY!!!)

From: hanz <makmur(at)cs.rutgers.edu>
Date: Fri Sep 28 2007 - 16:06:24 EDT

> Botnet 0.8 is up and available.  It took me a while (things have been
> REALLY busy at work for the last 6 months), but it's there.
> 
http://people.ucsc.edu/~jrudd/spamassassin/Botnet-0.8.tar

ooking at the debug code, I notice that botnet,pm version 0.8 is only checking the last server IP and not all IPs in the path.

example path the mail went thru:
[32635] dbg: dns: IPs found: full-external: 128.6.72.72, 127.0.0.1,
127.0.0.1, 128.6.31.86, 128.6.72.254, 127.0.0.1, 127.0.0.1, 128.6.31.85, 59.144.126.12, 59.144.126.12 untrusted: 128.6.72.72, 128.6.31.86, 128.6.72.254, 128.6.31.85, 59.144.126.12 originating:

example debug code
[32635] dbg: Botnet: starting
[32635] dbg: Botnet: no trusted relays
[32635] dbg: Botnet: get_relay good RDNS
[32635] dbg: Botnet: IP is '128.6.72.72'
[32635] dbg: Botnet: RDNS is 'gehenna.rutgers.edu'
[32635] dbg: Botnet: HELO is 'gehenna10.rutgers.edu'
[32635] dbg: Botnet: sender ''
[32635] dbg: Botnet: miss (none)

I believe if botnet.pm is checking all the path the mail went thru like how dnsbl is used, botnet will get more accurate. I could be wrong on this but for the shake of fighting spam,I hope I am right and you could find a way to get this to work.

Here is a sample of the bad email which may or may not be from botnet source.

http://www.cs.rutgers.edu/~makmur/forjrudd.txt

Hope I give enough details.

Do you need help?
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related spamassassin.apache.org Links users Request more information about Pantek

Thanks again for making fighting spam email easier.

Hanz

-- 
View this message in context: 
http://www.nabble.com/Botnet-0.8-Plugin-is-available-%28FINALLY%21%21%21%29-tf4221965.html#a12947538
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Received on Fri Sep 28 16:07:16 2007

This message: [ Message body ]
Next message: Jason Bertoch: "RE: Botnet 0.8 Plugin is available (FINALLY!!!)"
Previous message: micah: "Re: reaching incoming connections queued max, what happens?"
In reply to: Mark Martinec: "Re: Botnet 0.8 Plugin is available (FINALLY!!!)"
Next in thread: Jason Bertoch: "RE: Botnet 0.8 Plugin is available (FINALLY!!!)"
Reply: Jason Bertoch: "RE: Botnet 0.8 Plugin is available (FINALLY!!!)"
Reply: René Berber: "Re: Botnet 0.8 Plugin is available (FINALLY!!!)"
Reply: John Rudd: "Re: Botnet 0.8 Plugin is available (FINALLY!!!)"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Sat Oct 27 2007 - 22:02:49 EDT