You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Dimitri Yioulos <dy...@firstbhph.com> on 2007/01/04 17:22:34 UTC
Botnet-0.7 not working
First, I wish all a very happy and healthy New Year.
I hope this is the proper place to ask this: several days ago, I upgraded to
Botnet-0.7 from 0.6; the latter had apparently been working fine with the
installed SA 3.1.7. I installed as per instruction (no heavy lifting there).
Now, no Botnet rules are ever hit, even though I suspect that some particular
spam has been sent via a bot. If I reinstall 0.6, I get rule hits. What
have I not done/done wrong?
Thanks.
Dimitri
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
Re: Botnet-0.7 not working
Posted by John Rudd <jr...@ucsc.edu>.
Dimitri Yioulos wrote:
> [3377] dbg: Botnet: starting
> [3377] dbg: Botnet: no trusted relays
> [3377] dbg: Botnet: All skipped/no untrusted
> [3377] dbg: Botnet: skipping
That's curious... the message has neither trusted nor untrusted relays?
Can you send me (jrudd@ucsc.edu) the full spamassassin -D output for the
message?
Re: Botnet-0.7 not working
Posted by Dimitri Yioulos <dy...@firstbhph.com>.
On Thursday 04 January 2007 2:53 pm, Jens Schleusener wrote:
> On Thu, 4 Jan 2007, John Rudd wrote:
> > Dimitri Yioulos wrote:
> > > First, I wish all a very happy and healthy New Year.
> > >
> > > I hope this is the proper place to ask this: several days ago, I
> > > upgraded to Botnet-0.7 from 0.6; the latter had apparently been working
> > > fine with the installed SA 3.1.7. I installed as per instruction (no
> > > heavy lifting there). Now, no Botnet rules are ever hit, even though I
> > > suspect that some particular spam has been sent via a bot. If I
> > > reinstall 0.6, I get rule hits. What have I not done/done wrong?
> > >
> > > Thanks.
> > >
> > > Dimitri
> >
> > Do you get much output if you take one of the messages and do this
> > (assuming you're on some form of unix):
> >
> >
> > spamassassin -D < $message_file | grep -i botnet
>
> I found a similar behaviour as described on a test server.
>
> Using
>
> spamassassin -D < $message_file 2>&1 | grep -i botnet
>
> I found that in my case probably the default Botnet.cf configuration line
>
> # If there are trusted relays, then look to see if there's a
> # public IP address; if so, then pass the message through.
> botnet_pass_trusted public
>
> is the causer since the test server receives the mails from a mail relay
> that uses a private 172.x.x.x address. Debug extract with the
> default configuration:
>
> dbg: Botnet: starting
> dbg: Botnet: found private trusted
> dbg: Botnet: skipping
>
> But "undefining" the variable "botnet_pass_trusted" I got
>
> dbg: Botnet: starting
> dbg: Botnet: get_relay good RDNS
> dbg: Botnet: IP is '189.156.64.193'
> dbg: Botnet: RDNS is 'dsl-189-156-64-193.prod-infinitum.com.mx'
> dbg: Botnet: HELO is '!189.156.64.193!'
> dbg: Botnet: sender Sarah@SDHU.COM
> dbg: Botnet: hit (baddns,client,ipinhostname,clientwords)
> dbg: rules: ran eval rule BOTNET ======> got hit
>
> Greetings
>
> Jens
>
> --
> Dr. Jens Schleusener T-Systems Solutions for Research GmbH
> Tel: +49 551 709-2493 Bunsenstr.10
> Fax: +49 551 709-2169 D-37073 Goettingen
> Jens.Schleusener@t-systems.com http://www.t-systems.com/
Using Jens's debug contruct, I get the following output, which I hope will be
useful in either coming up with a solution or [once again] proving that I'm a
moron (please excuse for the verbosity):
[3377] dbg: config: read file /etc/mail/spamassassin/Botnet.cf
[3377] dbg: plugin: fixed relative path: /etc/mail/spamassassin/Botnet.pm
[3377] dbg: plugin: loading Mail::SpamAssassin::Plugin::Botnet
from /etc/mail/spamassassin/Botnet.pm
[3377] dbg: Botnet: version 0.7
[3377] dbg: plugin: registered
Mail::SpamAssassin::Plugin::Botnet=HASH(0x9833114)
[3377] dbg: plugin: Mail::SpamAssassin::Plugin::Botnet=HASH(0x9833114)
implements 'parse_config'
[3377] dbg: Botnet: setting botnet_pass_auth to 0
[3377] dbg: Botnet: setting botnet_pass_trusted to public
[3377] dbg: Botnet: adding ^127\.0\.0\.1$ to botnet_skip_ip
[3377] dbg: Botnet: adding ^10\..*$ to botnet_skip_ip
[3377] dbg: Botnet: adding ^172\.1[6789]\..*$ to botnet_skip_ip
[3377] dbg: Botnet: adding ^172\.2[0-9]\..*$ to botnet_skip_ip
[3377] dbg: Botnet: adding ^172\.3[01]\..*$ to botnet_skip_ip
[3377] dbg: Botnet: adding ^192\.168\..*$ to botnet_skip_ip
[3377] dbg: Botnet: adding ^128\.223\.98\.16$ to botnet_pass_ip
[3377] dbg: Botnet: adding (\.|\A)amazon\.com$ to botnet_pass_domains
[3377] dbg: Botnet: adding (\.|\A)apple\.com$ to botnet_pass_domains
[3377] dbg: Botnet: adding (\.|\A)ebay\.com$ to botnet_pass_domains
[3377] dbg: Botnet: adding (\b|\d)(a|s|d(yn)?)?dsl(\b|\d) to
botnet_clientwords
[3377] dbg: Botnet: adding (\b|\d)cable(\b|\d) to botnet_clientwords
[3377] dbg: Botnet: adding (\b|\d)catv(\b|\d) to botnet_clientwords
[3377] dbg: Botnet: adding (\b|\d)ddns(\b|\d) to botnet_clientwords
[3377] dbg: Botnet: adding (\b|\d)dhcp(\b|\d) to botnet_clientwords
[3377] dbg: Botnet: adding (\b|\d)dial(-?up)?(\b|\d) to botnet_clientwords
[3377] dbg: Botnet: adding (\b|\d)dip(\b|\d) to botnet_clientwords
[3377] dbg: Botnet: adding (\b|\d)docsis(\b|\d) to botnet_clientwords
[3377] dbg: Botnet: adding (\b|\d)dyn(amic)?(ip)?(\b|\d) to botnet_clientwords
[3377] dbg: Botnet: adding (\b|\d)modem(\b|\d) to botnet_clientwords
[3377] dbg: Botnet: adding (\b|\d)ppp(\b|\d) to botnet_clientwords
[3377] dbg: Botnet: adding (\b|\d)res(net|ident(ial)?)?(\b|\d) to
botnet_clientwords
[3377] dbg: Botnet: adding (\b|\d)client(\b|\d) to botnet_clientwords
[3377] dbg: Botnet: adding (\b|\d)fixed(\b|\d) to botnet_clientwords
[3377] dbg: Botnet: adding (\b|\d)ip(\b|\d) to botnet_clientwords
[3377] dbg: Botnet: adding (\b|\d)pool(\b|\d) to botnet_clientwords
[3377] dbg: Botnet: adding (\b|\d)static(\b|\d) to botnet_clientwords
[3377] dbg: Botnet: adding (\b|\d)user(\b|\d) to botnet_clientwords
[3377] dbg: Botnet: adding (\b|\d)mail(\b|\d) to botnet_serverwords
[3377] dbg: Botnet: adding (\b|\d)mta(\b|\d) to botnet_serverwords
[3377] dbg: Botnet: adding (\b|\d)mx(\b|\d) to botnet_serverwords
[3377] dbg: Botnet: adding (\b|\d)relay(\b|\d) to botnet_serverwords
[3377] dbg: Botnet: adding (\b|\d)smtp(\b|\d) to botnet_serverwords
[3377] dbg: Botnet: adding (\b|\d)exch(ange)?(\b|\d) to botnet_serverwords
[3377] dbg: rules: ran header rule __BOTNET_NOTRUST ======> got hit: "negative
match"
[3377] dbg: Botnet: starting
[3377] dbg: Botnet: no trusted relays
[3377] dbg: Botnet: All skipped/no untrusted
[3377] dbg: Botnet: skipping
[3377] dbg: check:
subtests=__BOTNET_NOTRUST,__CD,__CT,__ENV_AND_HDR_FROM_MATCH,__FB_NATIONAL,
__FB_S_PRICE,__FM_LARGE_MONEY,__FM_MY_PRICE,__FRAUD_DBI,__FRAUD_LTX,
__FR_HTML_HAS_AHREF,__F_LARGE_MONEY_2,__HTML_LENGTH_1536_2048,
__KAM_NUMBER2,__LOCAL_PP_NONPPURL,__MIME_ATTACHMENT,__MIME_HTML,
__MIME_QP,__NONEMPTY_BODY,__SARE_BODY_BLNK_5_100,__SARE_LOTTO_LOTTERY,
__SARE_META_MURTY3,__SARE_URI_ANY,__TAG_EXISTS_BODY,__TAG_EXISTS_HEAD,
__TAG_EXISTS_HTML,__TAG_EXISTS_META,__UNUSABLE_MSGID
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
Re: Botnet-0.7 not working
Posted by Jens Schleusener <Je...@t-systems-sfr.com>.
On Fri, 5 Jan 2007, John Rudd wrote:
> Jens Schleusener wrote:
> >
> >
> > But "undefining" the variable "botnet_pass_trusted" I got
> >
>
> Forgot to ask this last time:
>
> what do you mean "undefining"? Did you set it to "none", like the
> documentation mentions? or anything else along those lines?
Ok, sorry for my incomplete mail (it was a bit late yesterday).
The sentence
"undefining" the variable "botnet_pass_trusted"
seems a little bit vague. I tested different values also "none" but I had
the impression it doesn't matter which value I set as long as I avoid one
of the parsed values (any, public or private).
So even using
botnet_pass_trusted
or (using quotation marks)
botnet_pass_trusted "private"
instead of
botnet_pass_trusted private
changed the behaviour on my system and let Botnet work.
As by Dimitri the Botnet "not working"-problem on my system also appeared
after the upgrade 0.6 -> 0.7. The behaviour may be correct (probably as
designed) but I have overseen the new functionality.
Finally (reffering to my original mail) the term 172.x.x.x was imprecise
and mistakable. Concretely the concerning address is 172.21.151.21, an
address out of the private address range 172.16.0.0 - 172.31.255.255
(172.16/12 prefix).
Greetings
Jens
P.S.: I will sent more detailed debug information in a personal mail to
John Rudd.
--
Dr. Jens Schleusener T-Systems Solutions for Research GmbH
Tel: +49 551 709-2493 Bunsenstr.10
Fax: +49 551 709-2169 D-37073 Goettingen
Jens.Schleusener@t-systems.com http://www.t-systems.com/
Re: Botnet-0.7 not working
Posted by John Rudd <jr...@ucsc.edu>.
Jens Schleusener wrote:
>
>
> But "undefining" the variable "botnet_pass_trusted" I got
>
Forgot to ask this last time:
what do you mean "undefining"? Did you set it to "none", like the
documentation mentions? or anything else along those lines?
Re: Botnet-0.7 not working
Posted by John Rudd <jr...@ucsc.edu>.
John D. Hardin wrote:
> On Thu, 4 Jan 2007, John Rudd wrote:
>
>>> is the causer since the test server receives the mails from a mail relay
>>> that uses a private 172.x.x.x address. Debug extract with the
>>> default configuration:
>> Is that a typo? Did you mean 127.x.x.x?
>
> Nope. 172.[16-31].x.x are reserved for uncoordinated private use the
> same way 10.x.x.x and 192.168.x.x are. See
> http://www.faqs.org/rfcs/rfc1918.html
>
> botnet should probably be ignoring them completely, just like is does
> 127.x.x.x
>
Yeah, after someone mentioned that in another (off list) message, I
remembered it. It's the one private block I don't remember automatically.
And, yes, it's in Botnet's default config for skipping, and for treating
as a private network.
RE: Botnet-0.7 not working
Posted by Dave Koontz <dk...@mbc.edu>.
John is absolutely correct here. Just be careful to ensure proper checking
of the 2nd octect of the 172.x.x.x space, and ensure that it is in the 16-31
range. Otherwise you will be bypassing a very large chunk of AOL.com
address space without checks.
-----Original Message-----
From: John D. Hardin [mailto:jhardin@impsec.org]
Sent: Thursday, January 04, 2007 5:49 PM
To: John Rudd
Cc: Jens Schleusener; Dimitri Yioulos; users@spamassassin.apache.org
Subject: Re: Botnet-0.7 not working
On Thu, 4 Jan 2007, John Rudd wrote:
> > is the causer since the test server receives the mails from a mail
> > relay that uses a private 172.x.x.x address. Debug extract with the
> > default configuration:
>
> Is that a typo? Did you mean 127.x.x.x?
Nope. 172.[16-31].x.x are reserved for uncoordinated private use the same
way 10.x.x.x and 192.168.x.x are. See http://www.faqs.org/rfcs/rfc1918.html
botnet should probably be ignoring them completely, just like is does
127.x.x.x
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Windows Vista: Windows ME for the XP generation.
-----------------------------------------------------------------------
13 days until Benjamin Franklin's 301st Birthday
Re: Botnet-0.7 not working
Posted by "John D. Hardin" <jh...@impsec.org>.
On Thu, 4 Jan 2007, John Rudd wrote:
> > is the causer since the test server receives the mails from a mail relay
> > that uses a private 172.x.x.x address. Debug extract with the
> > default configuration:
>
> Is that a typo? Did you mean 127.x.x.x?
Nope. 172.[16-31].x.x are reserved for uncoordinated private use the
same way 10.x.x.x and 192.168.x.x are. See
http://www.faqs.org/rfcs/rfc1918.html
botnet should probably be ignoring them completely, just like is does
127.x.x.x
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Windows Vista: Windows ME for the XP generation.
-----------------------------------------------------------------------
13 days until Benjamin Franklin's 301st Birthday
Re: Botnet-0.7 not working
Posted by John Rudd <jr...@ucsc.edu>.
Jens Schleusener wrote:
> On Thu, 4 Jan 2007, John Rudd wrote:
>
>> Dimitri Yioulos wrote:
>>> First, I wish all a very happy and healthy New Year.
>>>
>>> I hope this is the proper place to ask this: several days ago, I upgraded
>>> to Botnet-0.7 from 0.6; the latter had apparently been working fine with the
>>> installed SA 3.1.7. I installed as per instruction (no heavy lifting
>>> there). Now, no Botnet rules are ever hit, even though I suspect that some
>>> particular spam has been sent via a bot. If I reinstall 0.6, I get rule
>>> hits. What have I not done/done wrong?
>>>
>>> Thanks.
>>>
>>> Dimitri
>>>
>> Do you get much output if you take one of the messages and do this (assuming
>> you're on some form of unix):
>>
>>
>> spamassassin -D < $message_file | grep -i botnet
>
> I found a similar behaviour as described on a test server.
>
> Using
>
> spamassassin -D < $message_file 2>&1 | grep -i botnet
doh! Yeah, forgot to redirect STDERR.
>
> I found that in my case probably the default Botnet.cf configuration line
>
> # If there are trusted relays, then look to see if there's a
> # public IP address; if so, then pass the message through.
> botnet_pass_trusted public
>
> is the causer since the test server receives the mails from a mail relay
> that uses a private 172.x.x.x address. Debug extract with the
> default configuration:
Is that a typo? Did you mean 127.x.x.x?
>
> dbg: Botnet: starting
> dbg: Botnet: found private trusted
> dbg: Botnet: skipping
Hm. That's odd. You had the setting set to "public", but it skipped
for a "private" trusted address? I'll have to look at why that's happening.
I don't suppose you could send me an example message where this change
made a difference?
>
> But "undefining" the variable "botnet_pass_trusted" I got
>
> dbg: Botnet: starting
> dbg: Botnet: get_relay good RDNS
> dbg: Botnet: IP is '189.156.64.193'
> dbg: Botnet: RDNS is 'dsl-189-156-64-193.prod-infinitum.com.mx'
> dbg: Botnet: HELO is '!189.156.64.193!'
> dbg: Botnet: sender Sarah@SDHU.COM
> dbg: Botnet: hit (baddns,client,ipinhostname,clientwords)
> dbg: rules: ran eval rule BOTNET ======> got hit
>
> Greetings
>
> Jens
>
Re: Botnet-0.7 not working
Posted by Jens Schleusener <Je...@t-systems-sfr.com>.
On Thu, 4 Jan 2007, John Rudd wrote:
> Dimitri Yioulos wrote:
> > First, I wish all a very happy and healthy New Year.
> >
> > I hope this is the proper place to ask this: several days ago, I upgraded
> > to Botnet-0.7 from 0.6; the latter had apparently been working fine with the
> > installed SA 3.1.7. I installed as per instruction (no heavy lifting
> > there). Now, no Botnet rules are ever hit, even though I suspect that some
> > particular spam has been sent via a bot. If I reinstall 0.6, I get rule
> > hits. What have I not done/done wrong?
> >
> > Thanks.
> >
> > Dimitri
> >
>
> Do you get much output if you take one of the messages and do this (assuming
> you're on some form of unix):
>
>
> spamassassin -D < $message_file | grep -i botnet
I found a similar behaviour as described on a test server.
Using
spamassassin -D < $message_file 2>&1 | grep -i botnet
I found that in my case probably the default Botnet.cf configuration line
# If there are trusted relays, then look to see if there's a
# public IP address; if so, then pass the message through.
botnet_pass_trusted public
is the causer since the test server receives the mails from a mail relay
that uses a private 172.x.x.x address. Debug extract with the
default configuration:
dbg: Botnet: starting
dbg: Botnet: found private trusted
dbg: Botnet: skipping
But "undefining" the variable "botnet_pass_trusted" I got
dbg: Botnet: starting
dbg: Botnet: get_relay good RDNS
dbg: Botnet: IP is '189.156.64.193'
dbg: Botnet: RDNS is 'dsl-189-156-64-193.prod-infinitum.com.mx'
dbg: Botnet: HELO is '!189.156.64.193!'
dbg: Botnet: sender Sarah@SDHU.COM
dbg: Botnet: hit (baddns,client,ipinhostname,clientwords)
dbg: rules: ran eval rule BOTNET ======> got hit
Greetings
Jens
--
Dr. Jens Schleusener T-Systems Solutions for Research GmbH
Tel: +49 551 709-2493 Bunsenstr.10
Fax: +49 551 709-2169 D-37073 Goettingen
Jens.Schleusener@t-systems.com http://www.t-systems.com/
Re: Botnet-0.7 not working
Posted by John Rudd <jr...@ucsc.edu>.
Dimitri Yioulos wrote:
> First, I wish all a very happy and healthy New Year.
>
> I hope this is the proper place to ask this: several days ago, I upgraded to
> Botnet-0.7 from 0.6; the latter had apparently been working fine with the
> installed SA 3.1.7. I installed as per instruction (no heavy lifting there).
> Now, no Botnet rules are ever hit, even though I suspect that some particular
> spam has been sent via a bot. If I reinstall 0.6, I get rule hits. What
> have I not done/done wrong?
>
> Thanks.
>
> Dimitri
>
Do you get much output if you take one of the messages and do this
(assuming you're on some form of unix):
spamassassin -D < $message_file | grep -i botnet