You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Andy Spiegl <sp...@spiegl.de> on 2007/04/27 16:47:43 UTC
BOTNET is great but...
...I wonder how to deal with the cases where there is a legitimate
internal mailserver behind dialup-IPs. There are quite a few small
companies that have a small home office network behind a dialup DSL
and run an internal mailserver which relays external mail to the mailserver
of their provider which then delivers to the destination.
That seems perfectly okay to me and very distinct from the botnet case
where mails from dialup-IPs are sent _directly_ to the destination MX.
But the BOTNET rules don't differentiate these two cases.
What do you think how to deal with that? How do YOU deal with it?
I'd really hate to lower the BOTNET scores but otoh if it hits
legit mailservers too....?
Thanks,
Andy.
PS: Shouldn't the BOTNET_SOHO rule avoid a high BOTNET score in these cases?
Or do I have to set the score for BOTNET_SOHO manually???
--
Warning: This email, when printed on paper, has sharp edges.
Handle with care or serious injury may result.
Re: BOTNET is great but...
Posted by Andy Spiegl <sp...@spiegl.de>.
John Rudd wrote:
But even if I wanted a dynamic IP doesn't make much sense as MX. :-(
> Part of the operating definition of "soho mail server" that I am using
> for botnet is: if your operation is so small that you're forced to use a
> dynamic IP address for your email server, then you're probably also so
> small that you're using one server for inbound and outbound traffic.
Hm, interesting. But I don't agree that that's true.
I know quite a few companies that "only" have DSL for their office(s).
I don't know about other countries but here in Germany fixed IPs are
too expensive or complicated to apply to worry about them. DSL is fast
and easy and a dyndns service allows you to do anything you need without
problems. Their webserver is hosted on a rented server or with at a
provider's server of course. But almost many SOHOs have an internal
mailserver for internal communication (DSLs are slow for uploads!).
So, the mailserver (or the users themselves) download their mails from the
provider's POP3-server but send all their mails to the internal mailserver
which then relays the external ones to the provider's SMTP server via SMTP
AUTH.
Another "legal" scenario is a local linux server behind a dynamic IP with
services running that send their status mails to the local sendmail daemon.
That case would look exactly like my example from Friday, but wouldn't
match the BOTNET_SOHO rule either, right?
> >Shouldn't the BOTNET_SOHO look at the Received:-line of the provider's
> >mailserver?
>
> It looks at received lines (after spam assassin has finished parsing
> them), but which one it looks at depends upon your settings.
Okay, good argument. :-)
Maybe I have to look at my trusted networks settings again, but I can't add
dynamic IPs there. And neither in Botnet.cf. Besides, I am worrying more
about the spamfilter of the _recipients_ of my mails and I have no
influence on their settings...
Thanks,
Andy.
--
No matter what anyone else tells you, nice guys do finish last.
Re: BOTNET is great but...
Posted by John Rudd <jr...@ucsc.edu>.
Andy Spiegl wrote:
> John Rudd wrote:
>
>> b) spiegl.de has 1-5 MX records, and one of them has 1-5 A records, one
>> of which resolves to the submitting relay (87.152.143.202).
>
> Hm, but why would I want to put this dynamic IP into the list of MXs?
> The soho mailserver doesn't accept mails from outside.
Part of the operating definition of "soho mail server" that I am using
for botnet is: if your operation is so small that you're forced to use a
dynamic IP address for your email server, then you're probably also so
small that you're using one server for inbound and outbound traffic. To
qualify as a "small office/home office mail server", for botnet's
purpose, you basically have to be using the same mail servers for
inbound and outbound traffic.
> Shouldn't the BOTNET_SOHO look at the Received:-line of the provider's
> mailserver?
It looks at received lines (after spam assassin has finished parsing
them), but which one it looks at depends upon your settings.
>> Received: from condor.int.spiegl.de (p57988fca.dip.t-dialin.net [87.152.143.202])
>> by sienna.XXXX.de via kasmail (3.1)
>> id <1IgQ30-4tK-1-sienna>; Tue, 24 Apr 2007 18:47:30 GMT
>
> As sienna.XXXX.de is one of the MXs for spiegl.de that should be enough to
> legitimate mails from there, no?
>
> Or asked differently: how does the BOTNET code figure out which one is the
> "submitting relay" and why does it choose the wrong one? :-)
>
It chooses based upon:
1) your trusted networks
2) the settings in your Botnet.cf file.
So, if it's choosing the wrong one, then it's doing so because you gave
it the wrong settings.
Re: BOTNET is great but...
Posted by Andy Spiegl <sp...@spiegl.de>.
John Rudd wrote:
> b) spiegl.de has 1-5 MX records, and one of them has 1-5 A records, one
> of which resolves to the submitting relay (87.152.143.202).
Hm, but why would I want to put this dynamic IP into the list of MXs?
The soho mailserver doesn't accept mails from outside.
Shouldn't the BOTNET_SOHO look at the Received:-line of the provider's
mailserver?
> Received: from condor.int.spiegl.de (p57988fca.dip.t-dialin.net [87.152.143.202])
> by sienna.XXXX.de via kasmail (3.1)
> id <1IgQ30-4tK-1-sienna>; Tue, 24 Apr 2007 18:47:30 GMT
As sienna.XXXX.de is one of the MXs for spiegl.de that should be enough to
legitimate mails from there, no?
Or asked differently: how does the BOTNET code figure out which one is the
"submitting relay" and why does it choose the wrong one? :-)
Thanks,
Andy.
--
May all your PUSHes be POPped.
Re: BOTNET is great but...
Posted by John Rudd <jr...@ucsc.edu>.
Andy Spiegl wrote:
> John Rudd wrote:
>
>> When you're just using the BOTNET rule directly, not as a meta-rule, the
>> BOTNET_SOHO code is called internally, so it should automatically kick in
>> an exempt a host from BOTNET if it appears to be a soho type mail server.
>
> I'm not sure I understand what you mean by "using as a meta-rule".
> Do you mean it should work if I just write:
> describe BOTNET Relay might be a spambot or virusbot
> header BOTNET eval:botnet()
> score BOTNET 3.5
Yes, that is "using the BOTNET rule directly, and not as a meta-rule".
So it will call the BOTNET_SOHO code automatically. If your config
qualifies for the soho exemption, this will make it happen.
> (That's the default in Botnet.cf)
>
> If so, I don't understand why for example my own mails get scored like
> this: (I've got a soho mailserver too)
>
> X-Spam-Checker-Version: SpamAssassin 3.1.7-deb (2006-10-05) on condor.int.spiegl.de
> X-Spam-Scores: AWL=-1.933,BAYES_00=-2.599,BOTNET=3.5,FORGED_RCVD_HELO=0.135
>
> These are the corresponding header lines:
> Received: from pop.XXXX.de [80.237.184.21]
> by condor.int.spiegl.de with POP3 (fetchmail-6.3.8)
> for <sp...@localhost> (single-drop); Tue, 24 Apr 2007 20:48:13 +0200 (CEST)
> Received: from condor.int.spiegl.de (p57988fca.dip.t-dialin.net [87.152.143.202])
> by sienna.XXXX.de via kasmail (3.1)
> id <1IgQ30-4tK-1-sienna>; Tue, 24 Apr 2007 18:47:30 GMT
> Received: from condor.int.spiegl.de (spiegl@localhost [127.0.0.1])
> by condor.int.spiegl.de (8.13.8/8.13.8/Debian-3) with ESMTP id l3OIlTIb032652
> (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT);
> Tue, 24 Apr 2007 20:47:29 +0200
> Received: (from spiegl@localhost)
> by condor.int.spiegl.de (8.13.8/8.13.8/Submit) id l3OIlTTk032647;
> Tue, 24 Apr 2007 20:47:29 +0200
>
> My internal mailserver (condor.int.spiegl.de, 87.152.143.202) delivered the
> mail via SMTP AUTH to the mailserver of my provider, and then a bit later I
> fetched the mail from the popserver and ran SpamAssassin.
> If Botnet checks whether the providers mailserver is an MX of spiegl.de,
> that's the case:
> spiegl.de mail is handled by 10 mx1.spiegl.de. (82.165.28.56)
> spiegl.de mail is handled by 10 mx2.spiegl.de. (80.237.158.92)
> spiegl.de mail is handled by 10 mx3.spiegl.de. (80.237.206.21)
> spiegl.de mail is handled by 10 mx4.spiegl.de. (80.237.184.21)
>
> sienna.XXXX.de has address 80.237.184.21 (-> mx4.spiegl.de)
> What else could be wrong?
Assuming that the sender address on this message was
(something)@spiegl.de , then in order to get the BOTNET_SOHO code to
trigger, either:
a) spiegl.de has 1-5 A records, and one of them resolves to the
submitting relay (87.152.143.202).
b) spiegl.de has 1-5 MX records, and one of them has 1-5 A records, one
of which resolves to the submitting relay (87.152.143.202).
Neither of these conditions is true: the lone A record for spiegl.de
resolves to 80.237.211.99; and you showed the MX records for spiegl.de
already and they don't point back to the submitting relay either.
Therefore, the IP address submitting the message doesn't appear to be
the soho mail relay for spiegl.de (according to the code used by BOTNET
for detecting soho mail relays).
So, you aren't getting the soho exemption.
Re: BOTNET is great but...
Posted by Andy Spiegl <sp...@spiegl.de>.
John Rudd wrote:
> When you're just using the BOTNET rule directly, not as a meta-rule, the
> BOTNET_SOHO code is called internally, so it should automatically kick in
> an exempt a host from BOTNET if it appears to be a soho type mail server.
I'm not sure I understand what you mean by "using as a meta-rule".
Do you mean it should work if I just write:
describe BOTNET Relay might be a spambot or virusbot
header BOTNET eval:botnet()
score BOTNET 3.5
(That's the default in Botnet.cf)
If so, I don't understand why for example my own mails get scored like
this: (I've got a soho mailserver too)
X-Spam-Checker-Version: SpamAssassin 3.1.7-deb (2006-10-05) on condor.int.spiegl.de
X-Spam-Scores: AWL=-1.933,BAYES_00=-2.599,BOTNET=3.5,FORGED_RCVD_HELO=0.135
These are the corresponding header lines:
Received: from pop.XXXX.de [80.237.184.21]
by condor.int.spiegl.de with POP3 (fetchmail-6.3.8)
for <sp...@localhost> (single-drop); Tue, 24 Apr 2007 20:48:13 +0200 (CEST)
Received: from condor.int.spiegl.de (p57988fca.dip.t-dialin.net [87.152.143.202])
by sienna.XXXX.de via kasmail (3.1)
id <1IgQ30-4tK-1-sienna>; Tue, 24 Apr 2007 18:47:30 GMT
Received: from condor.int.spiegl.de (spiegl@localhost [127.0.0.1])
by condor.int.spiegl.de (8.13.8/8.13.8/Debian-3) with ESMTP id l3OIlTIb032652
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT);
Tue, 24 Apr 2007 20:47:29 +0200
Received: (from spiegl@localhost)
by condor.int.spiegl.de (8.13.8/8.13.8/Submit) id l3OIlTTk032647;
Tue, 24 Apr 2007 20:47:29 +0200
My internal mailserver (condor.int.spiegl.de, 87.152.143.202) delivered the
mail via SMTP AUTH to the mailserver of my provider, and then a bit later I
fetched the mail from the popserver and ran SpamAssassin.
If Botnet checks whether the providers mailserver is an MX of spiegl.de,
that's the case:
spiegl.de mail is handled by 10 mx1.spiegl.de. (82.165.28.56)
spiegl.de mail is handled by 10 mx2.spiegl.de. (80.237.158.92)
spiegl.de mail is handled by 10 mx3.spiegl.de. (80.237.206.21)
spiegl.de mail is handled by 10 mx4.spiegl.de. (80.237.184.21)
sienna.XXXX.de has address 80.237.184.21 (-> mx4.spiegl.de)
What else could be wrong?
And I can't get rid of the FORGED_RCVD_HELO either. :-(
condor.int.spiegl.de resolves to the dynamic IP, as it should.
What else is necessary?
Thanks,
Andy.
--
2 is not equal to 3 -- not even for large values of 2.
Re: BOTNET is great but...
Posted by John Rudd <jr...@ucsc.edu>.
Andy Spiegl wrote:
> ...I wonder how to deal with the cases where there is a legitimate
> internal mailserver behind dialup-IPs. There are quite a few small
> companies that have a small home office network behind a dialup DSL
> and run an internal mailserver which relays external mail to the mailserver
> of their provider which then delivers to the destination.
>
> That seems perfectly okay to me and very distinct from the botnet case
> where mails from dialup-IPs are sent _directly_ to the destination MX.
> But the BOTNET rules don't differentiate these two cases.
>
> What do you think how to deal with that? How do YOU deal with it?
> I'd really hate to lower the BOTNET scores but otoh if it hits
> legit mailservers too....?
>
> Thanks,
> Andy.
>
> PS: Shouldn't the BOTNET_SOHO rule avoid a high BOTNET score in these cases?
> Or do I have to set the score for BOTNET_SOHO manually???
The situation you're talking about is exactly what BOTNET_SOHO is meant
to handle. Those soho type mail servers that _cannot_ get their ISP to
give them a static IP address with proper DNS for their mail domain.
When you're just using the BOTNET rule directly, not as a meta-rule, the
BOTNET_SOHO code is called internally, so it should automatically kick
in an exempt a host from BOTNET if it appears to be a soho type mail
server. But it's difficult to detect that.
You only need to set a score for BOTNET_SOHO if you're using BOTNET as a
metarule.