spamassassin-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From John Rudd <jr...@ucsc.edu>
Subject Re: Botnet problem
Date Mon, 02 Jul 2007 14:34:18 GMT
Jari Fredriksson wrote:
> Jari Fredriksson wrote:
>> Somehow it seems to work, if I set botnet_pass_trusted in Botnet.cf
>> to an *unknown* value. 
>> I used "none" here, but any unknown value will do.
>>
>>
>> # If there are trusted relays, then look to see if there's a
>> # public IP address; if so, then pass the message through.
>> botnet_pass_trusted             none
>>
>>
>> Now the BOTNET triggers are raised and points collected.
>>
>> Dunno if this works, but it seems to.
> 
> Still answering to myself...
> According to documentation (which is always read too late;)
> 
> Option:   botnet_pass_trusted  (any|public|private|ignore)
>    If there are trusted relays (received headers that match the trusted
> networks, before getting to a received header that doesn't match the
> trusted networks), then pass the message through Botnet without matching
> any rules, IF it matches the critereon of this option.  If the option is
> set to "any", then pass the message if there are any trusted relays.  If
> the option is set to "private", then pass the message if there are any
> relays from localhost and/or RFC-1918 reserved IP addresses (10.*, etc.).
> If the option is set to "public", then pass the message if there are any
> relays that are neither localhost nor RFC-1918 reserved.  If the option
> is set to "ignore" (or, really, anything other than "any", "public", or
> "private"), then ignore the trusted relays.   Defaults to "public".
> 
> So the correct value is "ignore".

What this option says is "do you trust your trusted networks to identify 
Botnet submitted messages before giving them to you?"  In normal cases, 
you should be able to ... because, really, that's the point of 
_trusting_ them, isn't it?  You trust them not to relay spam to you, or 
to do some form of effective spam-filtering/spam-marking for you.  Yet, 
your trusted hosts aren't really helping you in this regard, are they?

There's two ways to handle your problem:


1) a) include the ainavaan.iki.fi in your trusted networks
    b) set botnet_pass_trusted to "private" or "ignore"
       (I would recommend private, but it depends on your network)

2) a) do NOT include ainavaan.iki.fi in your trusted networks
       (because their behavior doesn't seem trustworthy to me)
    b) keep botnet_pass_trusted as "public"
    c) put these into your Botnet.cf, in the botnet_skip_ip section:

botnet_skip_ip		^212\.16\.98\..*$
botnet_skip_ip		^212\.16\.100\..*$

(those are tabs in the whitespace)


Method number 1 says (with botnet_pass_trusted set to "ignore"):

I don't trust any of the SpamAsasssin trusted_hosts to do Botnet and/or 
spam filtering of some kind before relaying a message to me.  Do Botnet 
filtering even when I receive a message directly from any of my 
trusted_hosts.


Method number 1 says (with botnet_pass_trusted set to "private"):

I don't trust the SpamAsasssin trusted_hosts (outside of my own private 
network) to do Botnet and/or spam filtering of some kind before relaying 
a message to me.  Do Botnet filtering even when I receive a message 
directly from the trusted_hosts outside of my private network.


Method number 2 says:

I trust my trusted_hosts to do Botnet filtering of some kind before 
relaying messages to me, but I also receive messages directly from 
certain relay hosts (listed in botnet_skip_ip) that I don't really trust 
for SpamAssassin purposes.  Those hosts aren't doing Botnet and/or spam 
filtering before relaying messages to me, but I know they're not Botnets 
themselves.  Tell me if those non-trusted_hosts received messages from a 
Botnet by looking past them (skipping them) in the evaluation chain.


You've chosen method 1.  I would have chosen method 2.  Either should work.


Mime
View raw message