Botnet spam not being caught

[MySQL Student <my...@gmail.com>]

Hi all,

I'm using SA-3.2.5 on Linux and my system is being deluged with spam that
isn't being caught, apparently from botnets. I'm using botnet-0.7. The
subject is random and the "Received from" header is always an unresolvable
IP. Is there a more robust botnet plugin that may be more effective?
Botnet-v08 was catching too many FPs. (score too high). The body is also
quite random -- enough so as to keep bayes usually at 50 or less.

Is there a later version of SA that's stable?

Here's the relevant headers:

Received: from [78.97.185.89] (unknown [78.97.185.89])
Message-ID: <KRSZDJKABFQDKCF.IODBKVQHQTYYMYW83588989026@[78.97.185.89]>
Subject: Where is this bar?
MIME-Version: 1.0
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: 7bit
Date: Sat, 13 Jun 2009 04:05:44 -0400 (EDT)
X-Virus-Scanned: by amavisd-new at mydomain.com
X-Spam-Status: No, hits=4.9 tagged_above=-300.0 required=5.0 use_bayes=1
 tests=BAYES_50, BOTNET, HTML_MESSAGE, MIME_HTML_ONLY, RDNS_NONE,
URIBL_BLACK
X-Spam-Level: ****

The body is HTML and contains the following:

Click here to view this message as a web page.

Copyright © 2002-2009 by the Pyahqql, Inc.
All rights reserved.

Click here if this picture is blocked

Home  |  Contact Us  |  Privacy Policy  |  Terms of Use | Unsubscribe |

Where can I go from here?

Thanks,
Alex

Re: Botnet spam not being caught

[Benny Pedersen <me...@junc.org>]

On Søn, Juni 14, 2009 03:10, MySQL Student wrote:

> Home | Contact Us | Privacy Policy | Terms of Use | Unsubscribe |

this is spammy line, with often faked domains (content looks like
micro$oft) but url is not there domain

> Where can I go from here?

sa-learn --spam < msg

and or make a rule for the above line

-- 
http://localhost/ 100% uptime and 100% mirrored :)

Re: Botnet spam not being caught

[John Rudd <jr...@ucsc.edu>]

On Sat, Jun 13, 2009 at 18:47, MySQL Student<my...@gmail.com> wrote:
> Hi John,
>
>> Botnet seems to have caught that just fine (it's listed in the rules
>> which were triggered).  The problem is either that you're running it
>> at a lower score (which you could also do for Botnet0.8 if you wanted
>> to upgrade -- their default scores are exactly the same), or you need
>> other rules/configs to supplement your overall scoring system.
>
> Yes, I didn't intend to blame it on botnet; I realize the rule is being
> triggered.
>
> I guess I was concerned about raising the score above my current 1.5, and
> was thinking that instead some other rule was available, or being used by
> someone on the list, in conjunction with botnet to catch these.
>
> If not, can you recommend an approach on calculating the right score for
> botnet for my environment, so it doesn't tag so many FPs, or what an
> appropriate value should be with my threshold being set to 5.0?

That's a can of worms I'm not willing to open :-)

I haven't seen a consensus on the list about what the right score is.
Everyone seems to have their own pet score for it (I run it at 5.0 and
haven't had more than a hanfull of FP's for all of the years that has
been true).

If people did come up with a consensus for it, I'd be happy to even
make that the default, and just run it at 5.0 for myself.

Re: Botnet spam not being caught

[MySQL Student <my...@gmail.com>]

Hi John,

Botnet seems to have caught that just fine (it's listed in the rules
> which were triggered).  The problem is either that you're running it
> at a lower score (which you could also do for Botnet0.8 if you wanted
> to upgrade -- their default scores are exactly the same), or you need
> other rules/configs to supplement your overall scoring system.


Yes, I didn't intend to blame it on botnet; I realize the rule is being
triggered.

I guess I was concerned about raising the score above my current 1.5, and
was thinking that instead some other rule was available, or being used by
someone on the list, in conjunction with botnet to catch these.

If not, can you recommend an approach on calculating the right score for
botnet for my environment, so it doesn't tag so many FPs, or what an
appropriate value should be with my threshold being set to 5.0?

Thanks again,
Alex

Re: Botnet spam not being caught

[John Rudd <jr...@ucsc.edu>]

Botnet seems to have caught that just fine (it's listed in the rules
which were triggered).  The problem is either that you're running it
at a lower score (which you could also do for Botnet0.8 if you wanted
to upgrade -- their default scores are exactly the same), or you need
other rules/configs to supplement your overall scoring system.

But, you can't blame this one on Botnet.  It scored on the message
you're reporting.


On Sat, Jun 13, 2009 at 18:10, MySQL Student<my...@gmail.com> wrote:
> Hi all,
>
> I'm using SA-3.2.5 on Linux and my system is being deluged with spam that
> isn't being caught, apparently from botnets. I'm using botnet-0.7. The
> subject is random and the "Received from" header is always an unresolvable
> IP. Is there a more robust botnet plugin that may be more effective?
> Botnet-v08 was catching too many FPs. (score too high). The body is also
> quite random -- enough so as to keep bayes usually at 50 or less.
>
> Is there a later version of SA that's stable?
>
> Here's the relevant headers:
>
> Received: from [78.97.185.89] (unknown [78.97.185.89])
> Message-ID: <KRSZDJKABFQDKCF.IODBKVQHQTYYMYW83588989026@[78.97.185.89]>
> Subject: Where is this bar?
> MIME-Version: 1.0
> Content-Type: text/html; charset="utf-8"
> Content-Transfer-Encoding: 7bit
> Date: Sat, 13 Jun 2009 04:05:44 -0400 (EDT)
> X-Virus-Scanned: by amavisd-new at mydomain.com
> X-Spam-Status: No, hits=4.9 tagged_above=-300.0 required=5.0 use_bayes=1
>  tests=BAYES_50, BOTNET, HTML_MESSAGE, MIME_HTML_ONLY, RDNS_NONE,
> URIBL_BLACK
> X-Spam-Level: ****
>
> The body is HTML and contains the following:
>
> Click here to view this message as a web page.
>
> Copyright © 2002-2009 by the Pyahqql, Inc.
> All rights reserved.
>
> Click here if this picture is blocked
>
> Home  |  Contact Us  |  Privacy Policy  |  Terms of Use | Unsubscribe |
>
> Where can I go from here?
>
> Thanks,
> Alex
>
>

Re: Botnet spam not being caught

[John Rudd <jr...@ucsc.edu>]

On Sat, Jun 13, 2009 at 18:56, MySQL Student<my...@gmail.com> wrote:

>
> I also see BOTNET_NORDNS in Botnet.cf, but it isn't being triggered. It's
> also weighted at 0.0. Is there a reason for this?

There's two ways to use Botnet:

1) one big rule (BOTNET) that rolls up all of the sub-rule scores.

2) triggering each individual rule separately (BOTNET_*).

You shouldn't do both, or you'll be double-scoring.  By default,
Botnet is set up to do the first method, so the individual rules are
all scored at 0.

Re: Capturing and using values....

[Theo Van Dinter <fe...@apache.org>]

No, SA doesn't do that.  The best way to do this is to write a plugin
where you can do whatever you want. :)

On Sun, Jun 14, 2009 at 3:18 PM, Charles Gregory<cg...@hwcn.org> wrote:
> Got a usage question. Is there a simple mechanism, similar to Perl's use
> of parantheses and $1 to 'capture' a value in one rule and USE that captured
> value in the next rule?

Capturing and using values....

[Charles Gregory <cg...@hwcn.org>]

Got a usage question. Is there a simple mechanism, similar to Perl's use
of parantheses and $1 to 'capture' a value in one rule and USE that 
captured value in the next rule?

For example:

To: Bob <re...@wherever>

Followed by one of

Subject: hello Bob
Subject: hello <re...@whatever>

So I would want to (using pure Perl as the basis for the use of $1):

header __TOME      To =~ /([^<]+) <([^>]+>/
header __SUBJTOME  Subject =~ /Dear ($1|$2)/

Similar tests could also catch "dear recip@whatever" at the top of a body.
The trick is to 'capture' the item in parentheses before it is destroyed 
by another internal test in SA's processing....

- Charles

Re: [sa] Re: Botnet spam not being caught

[Charles Gregory <cg...@hwcn.org>]

On Sun, 14 Jun 2009, John Hardin wrote:
>>  header MSGIDIP Message-Id =~ /\@\[[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\]/
> Refine that just a tiny bit:
> header MSGIDIP Message-Id =~ 
> /\@\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\]/

LOL! Busted! I was being lazy!

- C

Re: Botnet spam not being caught

[John Hardin <jh...@impsec.org>]

On Sun, 14 Jun 2009, Charles Gregory wrote:

> On Sat, 13 Jun 2009, MySQL Student wrote:
>>              Received: from [78.97.185.89] (unknown
>>              [78.97.185.89])
>>              Message-ID:
>>              <KRSZDJKABFQDKCF.IODBKVQHQTYYMYW83588989026@[78.97.185.89]>
>>
>>  Do they all have message ID's that include the IP?
>>
>>  Yeah, great, it looks like they all do. Would something like this work?
>>
>>  header���� MYMSGIP �� Message-ID =~ /78.97.185.89/
>
> Don't miss those square brackets. I consider them a distinctive quality 
> (unless these were added by your mail client?)....
>
> A suggeste drule would be:
>
> header MSGIDIP Message-Id =~ /\@\[[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\]/

Refine that just a tiny bit:

header MSGIDIP Message-Id =~ /\@\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\]/


-- 
  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
  jhardin@impsec.org    FALaholic #11174     pgpk -a jhardin@impsec.org
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
   We have to realize that people who run the government can and do
   change. Our society and laws must assume that bad people -
   criminals even - will run the government, at least part of the
   time.                                               -- John Gilmore
-----------------------------------------------------------------------
  4 days until SWMBO's Birthday

Re: Botnet spam not being caught

[Charles Gregory <cg...@hwcn.org>]

On Sat, 13 Jun 2009, MySQL Student wrote:
>             Received: from [78.97.185.89] (unknown
>             [78.97.185.89])
>             Message-ID:
>             <KRSZDJKABFQDKCF.IODBKVQHQTYYMYW83588989026@[78.97.185.89]>
> 
> Do they all have message ID's that include the IP?
> 
> Yeah, great, it looks like they all do. Would something like this work?
> 
> header     MYMSGIP    Message-ID =~ /78.97.185.89/

Don't miss those square brackets. I consider them a distinctive quality 
(unless these were added by your mail client?)....

A suggeste drule would be:

header MSGIDIP Message-Id =~ /\@\[[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\]/

Keep in mind this might also be the format generated by an 
intermediary mail server (perhaps yours) when receiving a mail with
no message-id on it. I notice the part after the @ matches the helo.

- Charles

Re: Botnet spam not being caught

[LuKreme <kr...@kreme.com>]

On 13-Jun-2009, at 19:56, MySQL Student wrote:
> Received: from [78.97.185.89] (unknown [78.97.185.89])
>>> Message-ID:  
>>> <KRSZDJKABFQDKCF.IODBKVQHQTYYMYW83588989026@[78.97.185.89]>
>>>
>>
>> Do they all have message ID's that include the IP?
>
>
> Yeah, great, it looks like they all do. Would something like this  
> work?
>
> header     MYMSGIP    Message-ID =~ /78.97.185.89/

aare they all including that exact IP? If not, you can look for IPs in  
the message ID generally

header MYMSGIP Messag-ID =~ \b(?:\d{1,3}\.){3}\d{1,3}\b.?.?$

(That's assuming PCRE is OK, I can never remember)

or, a more exact, but much longer regex:

\b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]? 
[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4] 
[0-9]|[01]?[0-9][0-9]?)\b.?.?$

> score       MYMSGIP    0.3
> describe   MYMSGIP    Message-ID from botnet


I ran this over a large spool of massages:

find new -type f -exec egrep -li "^Message-ID.*\b(25[0-5]|2[0-4][0-9]| 
[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]| 
2[0-?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b.?.?$" {} \;

(note the .?.?$ at the end to make sure I wam hitting the end of the  
line and not some random number sequence IN the ID)

and found it hit more mailinglist ham than spam, so I'd tread carefully.

-- 
Support bacteria - they're the only culture some people have.

Re: Botnet spam not being caught

[MySQL Student <my...@gmail.com>]

Hi Charles,

Received: from [78.97.185.89] (unknown [78.97.185.89])
>> Message-ID: <KRSZDJKABFQDKCF.IODBKVQHQTYYMYW83588989026@[78.97.185.89]>
>>
>
> Do they all have message ID's that include the IP?


Yeah, great, it looks like they all do. Would something like this work?

header     MYMSGIP    Message-ID =~ /78.97.185.89/
score       MYMSGIP    0.3
describe   MYMSGIP    Message-ID from botnet

Can someone help to write a rule that wildcards this safely?

> Also give a bit mroe score to the RDNS rules....

Yeah, great idea. It's currently only 0.1.

I also see BOTNET_NORDNS in Botnet.cf, but it isn't being triggered. It's
also weighted at 0.0. Is there a reason for this?

> You also might want to block that line that says "if picture is blocked".

There's a couple of variations, but this also looks like it would work well.

Thanks,
Alex

Re: Botnet spam not being caught

[Charles Gregory <cg...@hwcn.org>]

On Sat, 13 Jun 2009, MySQL Student wrote:
> Received: from [78.97.185.89] (unknown [78.97.185.89])
> Message-ID: <KRSZDJKABFQDKCF.IODBKVQHQTYYMYW83588989026@[78.97.185.89]>

Do they all have message ID's that include the IP?  You could score that 
0.3 or so to help push it over the line. Also give a bit mroe score to the
RDNS rules....

You also might want to block that line that says "if picture is blocked".

- C