You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Jari Fredriksson <ja...@iki.fi> on 2007/07/02 13:39:49 UTC
Botnet problem
I have an address, which has it's mx in external trusted network, which then hands it over to my own server.
Headers:
Return-Path: <po...@startmeup.fr>
X-Original-To: jarif@example.com
Delivered-To: jarif@example.com
Received: from localhost (localhost [127.0.0.1])
by pena.example.com (Postfix) with ESMTP id 7444190C
for <ja...@example.com>; Mon, 2 Jul 2007 05:10:28 +0300 (EEST)
*** RELAY#2: BELOW IS MY SERVER GETTING THE MESSAGE FROM A TRUSTED MIDDLE MAN ***
Received: from ainavaan.iki.fi (ainavaan.iki.fi [212.16.98.51])
by pena.example.com (Postfix) with ESMTP id 1754F7EA
for <ja...@example.com>; Mon, 2 Jul 2007 05:10:27 +0300 (EEST)
*** RELAY#1: BELOW IS THE TRUSTED MIDDLE MAN RECEIVING THE MESSAGE FROM A SPAMBOT ***
Received: from 125-25-91-188.adsl.totbb.net (125-25-91-188.adsl.totbb.net [125.25.91.188])
by ainavaan.iki.fi (8.13.8/8.13.8) with ESMTP id l622AAka001719;
Mon, 2 Jul 2007 05:10:13 +0300 (EEST)
Received: from 212.37.195.89 (HELO mailsmtp4.internet-fr.net)
by iki.fi with esmtp (DT;53H-O/,>) 3.B4AV)
id A4XV3A-4+B/6O-KU
for jari.anttonen@iki.fi; Mon, 2 Jul 2007 02:08:05 -0700
Date: Mon, 2 Jul 2007 02:08:05 -0700
From: "Marquis Benson" <po...@startmeup.fr>
X-Mailer: The Bat! (v3.0.1.33) UNREG / CD5BF9353B3B7091
X-Priority: 3 (Normal)
Message-ID: <54...@thhebat.net>
To: jari.anttonen@iki.fi
Subject: Get out of the obese crowd
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----------67109D3E5409DA37"
X-Spam: Not detected
Problem:
Botnet evaluates the server "ainavaan.iki.fi" and as it finds it trusted it drops the case. No BOTNET rules are triggered.
If I edit the "trusted middleman" out of the headers,
Return-Path: <po...@startmeup.fr>
X-Original-To: jarif@example.com
Delivered-To: jarif@example.com
Received: from localhost (localhost [127.0.0.1])
by pena.example.com (Postfix) with ESMTP id 7444190C
for <ja...@example.com>; Mon, 2 Jul 2007 05:10:28 +0300 (EEST)
Received: from 125-25-91-188.adsl.totbb.net (125-25-91-188.adsl.totbb.net [125.25.91.188])
by pena.example.com (Postfix) with ESMTP id 1754F7EA
for <ja...@example.com>; Mon, 2 Jul 2007 05:10:27 +0300 (EEST)
Received: from 212.37.195.89 (HELO mailsmtp4.internet-fr.net)
by iki.fi with esmtp (DT;53H-O/,>) 3.B4AV)
id A4XV3A-4+B/6O-KU
for jari.anttonen@iki.fi; Mon, 2 Jul 2007 02:08:05 -0700
then Botnet "sees" 125-25-91-188.adsl.totbb.net and triggers BOTNET rules correctly.
Can I fix this problem somehow with configuration, or does it need something in the Botnet.pm? I'm not very good at perl..
Re: Botnet problem
Posted by Jari Fredriksson <ja...@iki.fi>.
Matthias Keller wrote:
> Jari Fredriksson wrote:
>> I have an address, which has it's mx in external trusted network,
>> which then hands it over to my own server.
>>
>> (...)
>>
>> Can I fix this problem somehow with configuration, or does it need
>> something in the Botnet.pm? I'm not very good at perl..
>>
> Hi
>
> What have you got exactly in your SA-configuration for
> trusted_networks ?
>
> Matt
trusted_networks 212.16.98.0/24 212.16.100.0/24 62.142.0.0/16 195.74.0.0/16 213.192.189.2/24 217.30.188.0/24 65.54.0.0/16
Two first entries are collecting the named "trusted" middleman, the others are like hotmail mx's & such.
Re: Botnet problem
Posted by Matthias Keller <li...@matthias-keller.ch>.
Jari Fredriksson wrote:
> I have an address, which has it's mx in external trusted network, which then hands it over to my own server.
>
> (...)
>
> Can I fix this problem somehow with configuration, or does it need something in the Botnet.pm? I'm not very good at perl..
>
Hi
What have you got exactly in your SA-configuration for trusted_networks ?
Matt
Re: Botnet problem
Posted by John Rudd <jr...@ucsc.edu>.
John D. Hardin wrote:
> On Mon, 2 Jul 2007, John Rudd wrote:
>
>> What this option says is "do you trust your trusted networks to
>> identify Botnet submitted messages before giving them to you?"
>> In normal cases, you should be able to ... because, really, that's
>> the point of _trusting_ them, isn't it? You trust them not to
>> relay spam to you, or to do some form of effective
>> spam-filtering/spam-marking for you.
>
> er... No. You trust them to not forge headers and other identifying
> information.
Well, that's half of the criteria. The other half does have something
do with originating vs relaying of spam. I always read into that an
expectation that they're doing some form of spam checking (at least
scanning & marking the message), but clearly that was my own bias as
opposed to the letter of the document.
I usually set it up as:
Hosts _I_ manage are trusted. Hosts I manage do some form of
scanning/marking/rejecting that I consider appropriate for email they
relay, so I don't need to second guess them, and I find them acceptable
for deciding if a message is "all trusted" or not.
Everyone else is at least somewhat suspicious (and therefore shouldn't
be qualified for the "all trusted" rule). Those yahoos need to be
second guessed, and are therefore "not trusted", but I might skip them
in Botnet checks.
Re: Botnet problem
Posted by "John D. Hardin" <jh...@impsec.org>.
On Mon, 2 Jul 2007, John Rudd wrote:
> What this option says is "do you trust your trusted networks to
> identify Botnet submitted messages before giving them to you?"
> In normal cases, you should be able to ... because, really, that's
> the point of _trusting_ them, isn't it? You trust them not to
> relay spam to you, or to do some form of effective
> spam-filtering/spam-marking for you.
er... No. You trust them to not forge headers and other identifying
information.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
It there a Special Olympics for terrorists going on in the UK this
week? -- Bruce Schneier, 02/02/2007
-----------------------------------------------------------------------
2 days until The 231st anniversary of the Declaration of Independence
Re: Botnet problem
Posted by John Rudd <jr...@ucsc.edu>.
Jari Fredriksson wrote:
> Jari Fredriksson wrote:
>> Somehow it seems to work, if I set botnet_pass_trusted in Botnet.cf
>> to an *unknown* value.
>> I used "none" here, but any unknown value will do.
>>
>>
>> # If there are trusted relays, then look to see if there's a
>> # public IP address; if so, then pass the message through.
>> botnet_pass_trusted none
>>
>>
>> Now the BOTNET triggers are raised and points collected.
>>
>> Dunno if this works, but it seems to.
>
> Still answering to myself...
> According to documentation (which is always read too late;)
>
> Option: botnet_pass_trusted (any|public|private|ignore)
> If there are trusted relays (received headers that match the trusted
> networks, before getting to a received header that doesn't match the
> trusted networks), then pass the message through Botnet without matching
> any rules, IF it matches the critereon of this option. If the option is
> set to "any", then pass the message if there are any trusted relays. If
> the option is set to "private", then pass the message if there are any
> relays from localhost and/or RFC-1918 reserved IP addresses (10.*, etc.).
> If the option is set to "public", then pass the message if there are any
> relays that are neither localhost nor RFC-1918 reserved. If the option
> is set to "ignore" (or, really, anything other than "any", "public", or
> "private"), then ignore the trusted relays. Defaults to "public".
>
> So the correct value is "ignore".
What this option says is "do you trust your trusted networks to identify
Botnet submitted messages before giving them to you?" In normal cases,
you should be able to ... because, really, that's the point of
_trusting_ them, isn't it? You trust them not to relay spam to you, or
to do some form of effective spam-filtering/spam-marking for you. Yet,
your trusted hosts aren't really helping you in this regard, are they?
There's two ways to handle your problem:
1) a) include the ainavaan.iki.fi in your trusted networks
b) set botnet_pass_trusted to "private" or "ignore"
(I would recommend private, but it depends on your network)
2) a) do NOT include ainavaan.iki.fi in your trusted networks
(because their behavior doesn't seem trustworthy to me)
b) keep botnet_pass_trusted as "public"
c) put these into your Botnet.cf, in the botnet_skip_ip section:
botnet_skip_ip ^212\.16\.98\..*$
botnet_skip_ip ^212\.16\.100\..*$
(those are tabs in the whitespace)
Method number 1 says (with botnet_pass_trusted set to "ignore"):
I don't trust any of the SpamAsasssin trusted_hosts to do Botnet and/or
spam filtering of some kind before relaying a message to me. Do Botnet
filtering even when I receive a message directly from any of my
trusted_hosts.
Method number 1 says (with botnet_pass_trusted set to "private"):
I don't trust the SpamAsasssin trusted_hosts (outside of my own private
network) to do Botnet and/or spam filtering of some kind before relaying
a message to me. Do Botnet filtering even when I receive a message
directly from the trusted_hosts outside of my private network.
Method number 2 says:
I trust my trusted_hosts to do Botnet filtering of some kind before
relaying messages to me, but I also receive messages directly from
certain relay hosts (listed in botnet_skip_ip) that I don't really trust
for SpamAssassin purposes. Those hosts aren't doing Botnet and/or spam
filtering before relaying messages to me, but I know they're not Botnets
themselves. Tell me if those non-trusted_hosts received messages from a
Botnet by looking past them (skipping them) in the evaluation chain.
You've chosen method 1. I would have chosen method 2. Either should work.
Re: Botnet problem
Posted by Jari Fredriksson <ja...@iki.fi>.
Jari Fredriksson wrote:
> Somehow it seems to work, if I set botnet_pass_trusted in Botnet.cf
> to an *unknown* value.
> I used "none" here, but any unknown value will do.
>
>
> # If there are trusted relays, then look to see if there's a
> # public IP address; if so, then pass the message through.
> botnet_pass_trusted none
>
>
> Now the BOTNET triggers are raised and points collected.
>
> Dunno if this works, but it seems to.
Still answering to myself...
According to documentation (which is always read too late;)
Option: botnet_pass_trusted (any|public|private|ignore)
If there are trusted relays (received headers that match the trusted
networks, before getting to a received header that doesn't match the
trusted networks), then pass the message through Botnet without matching
any rules, IF it matches the critereon of this option. If the option is
set to "any", then pass the message if there are any trusted relays. If
the option is set to "private", then pass the message if there are any
relays from localhost and/or RFC-1918 reserved IP addresses (10.*, etc.).
If the option is set to "public", then pass the message if there are any
relays that are neither localhost nor RFC-1918 reserved. If the option
is set to "ignore" (or, really, anything other than "any", "public", or
"private"), then ignore the trusted relays. Defaults to "public".
So the correct value is "ignore".
Re: Botnet problem
Posted by Jari Fredriksson <ja...@iki.fi>.
Somehow it seems to work, if I set botnet_pass_trusted in Botnet.cf to an *unknown* value.
I used "none" here, but any unknown value will do.
# If there are trusted relays, then look to see if there's a
# public IP address; if so, then pass the message through.
botnet_pass_trusted none
Now the BOTNET triggers are raised and points collected.
Dunno if this works, but it seems to.