Parent Directory | Revision Log | Revision Graph
Mon Aug 27 14:31:58 2007 gswallow adding 0.8 source file ----------------------------------------------------------------------
1 | gregswallow | 1.1 | Botnet.api.txt 0000444 0000000 0000006 00000007251 10542471052 013530 0 ustar root mail 0000000 0000000 |
2 | If you want to write perl programs that do the same checks as Botnet, they | ||
3 | can now be used without having to go through SpamAssassin. You will need | ||
4 | to have SpamAssassin installed to get Botnet.pm to load, but other than | ||
5 | that, you don't have to interact with SpamAssassin. Here are the perl | ||
6 | statements that evaluate to the same process as the Botnet checks: | ||
7 | |||
8 | |||
9 | Same as BOTNET_NORDNS: | ||
10 | $hostname = Mail::SpamAssassin::Plugin::Botnet::get_rdns($ip); | ||
11 | $nordns = ($hostname eq ""); | ||
12 | |||
13 | Given the IP address (without surrounding []'s), will return the | ||
14 | hostname contained within the _FIRST_ PTR record it finds for that | ||
15 | IP address. | ||
16 | |||
17 | |||
18 | Same as BOTNET_BADDNS: | ||
19 | $baddns = | ||
20 | Mail::SpamAssassin::Plugin::Botnet::check_dns($hostname, $ip, "A", -1); | ||
21 | |||
22 | Returns 1 if $hostname resolves back to $ip. Otherwise returns 0. | ||
23 | The third argument can be set to "MX" to resolve MX records back to | ||
24 | an IP address. Only "A" and "MX" are currently supported. | ||
25 | The fourth argument says how many records to look at. -1 says "all of | ||
26 | them". If you set this to 5, it will only look at 5 records before | ||
27 | giving up. If you set this to 5, and set the record type to "MX", then | ||
28 | the only the first 5 MX records are checked, AND for each MX record only | ||
29 | the first 5 A records are checked. | ||
30 | |||
31 | |||
32 | Same as BOTNET_IPINHOSTNAME: | ||
33 | $iphost = | ||
34 | Mail::SpamAssassin::Plugin::Botnet::check_ipinhostname($hostname, $ip); | ||
35 | |||
36 | Returns 1 if the hostname contains 2 or more octets of the IP address, in | ||
37 | decimal or hexidecimal form. | ||
38 | |||
39 | |||
40 | Same as BOTNET_CLIENTWORDS or BOTNET_SERVERWORDS: | ||
41 | $cwordexp = '((\b|\d)cable(\b|\d))|((\b|\d)catv(\b|\d))|((\b|\d)ddns(\b|\d))|' . | ||
42 | '((\b|\d)dhcp(\b|\d))|((\b|\d)dial-?up(\b|\d))|' . | ||
43 | '((\b|\d)dip(\b|\d))|((\b|\d)(a|s|d(yn)?)?dsl(\b|\d))|' . | ||
44 | '((\b|\d)dynamic(\b|\d))|((\b|\d)modem(\b|\d))|' . | ||
45 | '((\b|\d)ppp(\b|\d))|((\b|\d)res(net|ident(ial)?)?(\b|\d))|' . | ||
46 | '((\b|\d)client(\b|\d))|((\b|\d)fixed(\b|\d))|' . | ||
47 | '((\b|\d)pool(\b|\d))|((\b|\d)static(\b|\d))|((\b|\d)user(\b|\d))'; | ||
48 | $cwords = Mail::SpamAssassin::Plugin::Botnet::check_words($hostname, $cwordexp); | ||
49 | |||
50 | $swordexp = '((\b|\d)mail(\b|\d))|((\b|\d)mta(\b|\d))|((\b|\d)mx(\b|\d))|' . | ||
51 | '((\b|\d)relay(\b|\d))|((\b|\d)smtp(\b|\d))'; | ||
52 | $swords = Mail::SpamAssassin::Plugin::Botnet::check_words($hostname, $swordexp); | ||
53 | |||
54 | (the above $cwordexp matches the expression sent to the client word check | ||
55 | based upon the default Botnet.cf; similarly, the above $swordexp matches | ||
56 | the expression sent to the server word check based upon the default | ||
57 | Botnet.cf) | ||
58 | |||
59 | Returns 1 if the hostname matches the regular expression in $cwordexp, | ||
60 | or $swordexp, not including within the two right-most domains in $hostname. | ||
61 | You must supply the regular expression yourself, and act accordingly to | ||
62 | whether or not it is server words or client words. | ||
63 | |||
64 | |||
65 | Same as BOTNET_CLIENT: | ||
66 | $client = ((! $swords) && ($cwords || $iphost)); | ||
67 | OR | ||
68 | $client = check_client($hostname, $ip, $cwordexp, $swordexp, \$tests) | ||
69 | |||
70 | $tests (optional) will contain the names of which subchecks were triggered: | ||
71 | serverwords, clientwords, ipinhostname | ||
72 | |||
73 | |||
74 | Same as BOTNET_SOHO: | ||
75 | $soho = | ||
76 | Mail::SpamAssassin::Plugin::Botnet::check_soho($hostname, $ip, $domain, $helo); | ||
77 | |||
78 | $domain should be the part after the @ in the sender's email address. | ||
79 | $helo doesn't actualy do anything ... and probably wont ever. | ||
80 | |||
81 | |||
82 | Same as BOTNET: | ||
83 | $botnet = ((! $soho) && ($nordns || $baddns || $client)); | ||
84 | OR | ||
85 | $botnet = | ||
86 | Mail::SpamAssassin::Plugin::Botnet::check_botnet($hostname, $ip, | ||
87 | $cwordexp, $swordexp, $domain, $helo, \$tests); | ||
88 | |||
89 | $tests (optional) will contain the names of which subchecks were triggered: | ||
90 | nordns, badrdns, serverwords, clientwords, ipinhostname, client, soho | ||
91 | |||
92 |