Parent Directory | Revision Log | Revision Graph
Mon Aug 27 14:31:58 2007 gswallow adding 0.8 source file ----------------------------------------------------------------------
1 | Botnet.api.txt 0000444 0000000 0000006 00000007251 10542471052 013530 0 ustar root mail 0000000 0000000 |
2 | If you want to write perl programs that do the same checks as Botnet, they |
3 | can now be used without having to go through SpamAssassin. You will need |
4 | to have SpamAssassin installed to get Botnet.pm to load, but other than |
5 | that, you don't have to interact with SpamAssassin. Here are the perl |
6 | statements that evaluate to the same process as the Botnet checks: |
7 | |
8 | |
9 | Same as BOTNET_NORDNS: |
10 | $hostname = Mail::SpamAssassin::Plugin::Botnet::get_rdns($ip); |
11 | $nordns = ($hostname eq ""); |
12 | |
13 | Given the IP address (without surrounding []'s), will return the |
14 | hostname contained within the _FIRST_ PTR record it finds for that |
15 | IP address. |
16 | |
17 | |
18 | Same as BOTNET_BADDNS: |
19 | $baddns = |
20 | Mail::SpamAssassin::Plugin::Botnet::check_dns($hostname, $ip, "A", -1); |
21 | |
22 | Returns 1 if $hostname resolves back to $ip. Otherwise returns 0. |
23 | The third argument can be set to "MX" to resolve MX records back to |
24 | an IP address. Only "A" and "MX" are currently supported. |
25 | The fourth argument says how many records to look at. -1 says "all of |
26 | them". If you set this to 5, it will only look at 5 records before |
27 | giving up. If you set this to 5, and set the record type to "MX", then |
28 | the only the first 5 MX records are checked, AND for each MX record only |
29 | the first 5 A records are checked. |
30 | |
31 | |
32 | Same as BOTNET_IPINHOSTNAME: |
33 | $iphost = |
34 | Mail::SpamAssassin::Plugin::Botnet::check_ipinhostname($hostname, $ip); |
35 | |
36 | Returns 1 if the hostname contains 2 or more octets of the IP address, in |
37 | decimal or hexidecimal form. |
38 | |
39 | |
40 | Same as BOTNET_CLIENTWORDS or BOTNET_SERVERWORDS: |
41 | $cwordexp = '((\b|\d)cable(\b|\d))|((\b|\d)catv(\b|\d))|((\b|\d)ddns(\b|\d))|' . |
42 | '((\b|\d)dhcp(\b|\d))|((\b|\d)dial-?up(\b|\d))|' . |
43 | '((\b|\d)dip(\b|\d))|((\b|\d)(a|s|d(yn)?)?dsl(\b|\d))|' . |
44 | '((\b|\d)dynamic(\b|\d))|((\b|\d)modem(\b|\d))|' . |
45 | '((\b|\d)ppp(\b|\d))|((\b|\d)res(net|ident(ial)?)?(\b|\d))|' . |
46 | '((\b|\d)client(\b|\d))|((\b|\d)fixed(\b|\d))|' . |
47 | '((\b|\d)pool(\b|\d))|((\b|\d)static(\b|\d))|((\b|\d)user(\b|\d))'; |
48 | $cwords = Mail::SpamAssassin::Plugin::Botnet::check_words($hostname, $cwordexp); |
49 | |
50 | $swordexp = '((\b|\d)mail(\b|\d))|((\b|\d)mta(\b|\d))|((\b|\d)mx(\b|\d))|' . |
51 | '((\b|\d)relay(\b|\d))|((\b|\d)smtp(\b|\d))'; |
52 | $swords = Mail::SpamAssassin::Plugin::Botnet::check_words($hostname, $swordexp); |
53 | |
54 | (the above $cwordexp matches the expression sent to the client word check |
55 | based upon the default Botnet.cf; similarly, the above $swordexp matches |
56 | the expression sent to the server word check based upon the default |
57 | Botnet.cf) |
58 | |
59 | Returns 1 if the hostname matches the regular expression in $cwordexp, |
60 | or $swordexp, not including within the two right-most domains in $hostname. |
61 | You must supply the regular expression yourself, and act accordingly to |
62 | whether or not it is server words or client words. |
63 | |
64 | |
65 | Same as BOTNET_CLIENT: |
66 | $client = ((! $swords) && ($cwords || $iphost)); |
67 | OR |
68 | $client = check_client($hostname, $ip, $cwordexp, $swordexp, \$tests) |
69 | |
70 | $tests (optional) will contain the names of which subchecks were triggered: |
71 | serverwords, clientwords, ipinhostname |
72 | |
73 | |
74 | Same as BOTNET_SOHO: |
75 | $soho = |
76 | Mail::SpamAssassin::Plugin::Botnet::check_soho($hostname, $ip, $domain, $helo); |
77 | |
78 | $domain should be the part after the @ in the sender's email address. |
79 | $helo doesn't actualy do anything ... and probably wont ever. |
80 | |
81 | |
82 | Same as BOTNET: |
83 | $botnet = ((! $soho) && ($nordns || $baddns || $client)); |
84 | OR |
85 | $botnet = |
86 | Mail::SpamAssassin::Plugin::Botnet::check_botnet($hostname, $ip, |
87 | $cwordexp, $swordexp, $domain, $helo, \$tests); |
88 | |
89 | $tests (optional) will contain the names of which subchecks were triggered: |
90 | nordns, badrdns, serverwords, clientwords, ipinhostname, client, soho |
91 | |
92 |