Background
I am working on spam detection at the receiver side,i.e where all mails are delivered,i.e at the mailserver side. Spammers are capable of sending spam mails through Bots,Open relays and many other sources.
Query
Is,there any way/method to say that a spam mail received,is sent out through bots?
Being a mail system administrator, I suppose you know that email messages do not contain anything that would allow you to identify whether they are sent by a human or a machine. The BOT will certainly not indicates that it's a BOT in the message or even the headers.
Common SPAM detection methods apply to any messages whether sent by a BOT or not.
I suggest you look at existing SPAM detection solutions such as SpamAssassin along with the different plugins available for it. As you will see, with proper training, it actually does a very good job.
Besides the standard ways (checking headers, broken clients, spam filters, etc) of detecting spammers, and depending on how strict your settings are, you can try to limit your emails only to fully qualified domains and ignore any "Unknown" sources (that is what I do).
I personally believe that all emails should be sent from mail servers and not directly from the clients. However, in the real world, that not always happen.
Further more, you can test if the server domain's (not the address domain) IP address matches the one the server is receiving (reverse IP lookup). You can test if such server is a mail server or not by checking the ports and the MX records.
If the spam mails come from authentic mail servers, may indicate is an open-relay case. If not, then we can assume is a botnet.
These are some of the restrictions I use in Postfix (to give an idea):
smtpd_helo_restrictions =
reject_invalid_helo_hostname,
smtpd_client_restrictions =
reject_unauth_pipelining
reject_unknown_reverse_client_hostname
smtpd_sender_restrictions =
reject_non_fqdn_sender,
reject_unknown_sender_domain,
smtpd_recipient_restrictions =
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
reject_unauth_destination,
reject_unverified_recipient,
reject_rbl_client ...,
For example, this is a log rejecting an Unknown source:
NOQUEUE: reject: RCPT from unknown[***.***.***.235]: 450 4.7.1 Client host rejected: cannot find your reverse hostname, [***.***.***.235]; from=<ret_2016@*******.com> to=<*****@******.com> proto=ESMTP helo=<www.*******.com>
Update: Extended explanation (reply to comment)
@user10012: Your question is how to check if spam is originated from botnets, so one way is: How do you know a mail comes from a SMTP server? (then you could treat the rest as botnets, if you want to be strict).
Explanation 1:
you can test if the server domain's (not the address domain) IP address matches the one the server is receiving (reverse IP lookup).
From the logs:
postfix/smtpd[21173]: 929DB18E7E8D8: client=mail-pa0-f66.google.com[209.85.220.66]
In this case, it comes from some SMTP of google. If you execute host 209.85.220.66 it will return mail-pa0-f66.google.com.. Which is correct. Those should work if the mail server is correctly configured. If someone sends directly from a computer, the result of host ***.***.***.235 will be: not found: 3(NXDOMAIN) or it will show a different domain than sent one.
Explanation 2:
You can test if such server is a mail server or not by checking the ports and the MX records.
This one may only work for "small" servers, for example:
host -t mx example.com will return something like: example.com mail is handled by 10 mail.example.com. In that case, you can verify if mail.example.com correspond to the IP received. You can test the port with: nmap -p 25,465 mail.example.com. If they respond "open" then you confirm its a mail server.
I said it works with "small" servers because medium to large companies use different servers to receive and different to send. Also they have a pool of servers which handle mail, which makes the above tests impractical or impossible. For example, host -t google.com will return: google.com mail is handled by 10 aspmx.l.google.com. (from 10 to 50). None of that list includes the one we saw before: mail-pa0-f66.google.com (those are the pool of 'receivers'). Now if you check the ports with nmap that server (mail-pa0...), will not have any open port (which means it is only a sender).
Just as a side note, if a mail comes from a SMTP server that doesn't mean it was sent by a human. It can be sent by a bot as well. It only helps you to identify which emails come from mail servers. Many of the SPAM is sent from infected computers directly, and that method helps to clean those up. If a SMTP server is compromised or is set with the evil intentions of deliver SPAM, this method will fail. You will need other ways to block it (like a black list: RBL).
In my personal experience, you can filter 90% or more of your SPAM using a RBL service (there are some free to use if your server has low traffic: bl.spamcop.net, zen.spamhaus.org, etc).
