spamassassin-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Matthew Newton <m...@leicester.ac.uk>
Subject Re: BOTNET IPv6 patch
Date Thu, 30 Jun 2011 11:06:06 GMT
Hi Yves,

On Wed, Jun 29, 2011 at 09:03:52PM +0200, Yves Goergen wrote:
> I was looking for an IPv6 fix for Botnet before but nobody (including
> me) was able to do it. I have now looked at your solution and to my
> Perl-unexperienced eyes, it looks promising.
> 
> I have installed it on my server and am now waiting for E-Mails from
> IPv6 hosts. Could somebody please just send me a message from an IPv6
> mail server to my address? (Preferably from a host that should not be
> caught by Botnet...)

I've just sent you a test mail. That mail server has got correct
reverse DNS, and doesn't trigger BOTNET on my home mail server
(sent over IPv6) with my patch.

> Is this fix supposed to avoid IPv6 false positives only, or also to do
> its job in detecting IPv6 bots correctly?

The intention was to fix the false positives, although it doesn't
disable BOTNET entirely for IPv6. For instance, it will still
check to see if the address has got a reverse DNS entry (and fail
if it has not), but it can't easily check for the IP address in
the PTR record like can be done for IPv4 (e.g.
host.143-210-16-36.le.ac.uk might be picked up by BOTNET for a v4
address).

I basically extended it the minimum I could to fix the IPv6
breakage, while only removing the minimum amount of functionality
that was easily possible.

I just briefly checked through the logs here for IPv6 incoming
mail. BOTNET fired on only one or two so far today, and they were
ones without PTR entries.

On Wed, Jun 29, 2011 at 09:59:52PM +0200, Yves Goergen wrote:
> > Received: from sp***ck.di***ie.com ([2001:***::40])
> > 	by do***rd.de with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
> > 	(Exim 4.71)
> > 	(envelope-from <L***e@Di***ie.com>)
> > 	id 1Qc0UA-0001R3-DT
> > 	for nospam.list@un***ed.de; Wed, 29 Jun 2011 21:31:44 +0200
> 
> > X-Spam-Report: Content analysis details:
> >   0.2 BOTNET                 Relay might be a spambot or virusbot
> >                      [botnet0.8,ip=2**.1**.2**.7*,maildomain=Di***ie.com,nordns]
> 
> Doesn't seem to work. It's a false positive again. And Botnet recognises
> the incoming IPv6 address as some IPv4 address and reports that one.

That doesn't look right - unless your munging has really messed it
up. BOTNET seemed to check an IPv4 address there: "2**.1**.2**.7*"

Do a dig -x against that IPv4 address, and the 2001:***::40
address, and see if both have correct PTRs.

However, there could be a problem if it's picked up a v4 address
to test, when the mail actually came to you from a v6 address. I'm
no expert in SA/BOTNET here, but at a guess, maybe your list of
trusted hosts is wrong?

Cheers,

Matthew



-- 
Matthew Newton, Ph.D. <mcn4@le.ac.uk>

Systems Architect (UNIX and Networks), Network Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>

Mime
View raw message