######################################################################
#
# THE RULES
#
######################################################################

describe	BOTNET			Relay might be a spambot or virusbot
header		BOTNET			eval:botnet()
score		BOTNET			1.0

describe	BOTNET_SOHO		Relay might be a SOHO mail server
header		BOTNET_SOHO		eval:botnet_soho()
score		BOTNET_SOHO		-0.01

describe	BOTNET_NORDNS		Relay's IP address has no PTR record
header		BOTNET_NORDNS		eval:botnet_nordns()
score		BOTNET_NORDNS		0.1

describe	BOTNET_BADDNS		Relay doesn't have full circle DNS
header		BOTNET_BADDNS		eval:botnet_baddns()
score		BOTNET_BADDNS		0.1

describe	BOTNET_CLIENT		Relay has a client-like hostname
header		BOTNET_CLIENT		eval:botnet_client()
score		BOTNET_CLIENT		0.1

describe	BOTNET_IPINHOSTNAME	Hostname contains its own IP address
header		BOTNET_IPINHOSTNAME	eval:botnet_ipinhostname()
score		BOTNET_IPINHOSTNAME	0.1

describe	BOTNET_CLIENTWORDS	Hostname contains client-like substrings
header		BOTNET_CLIENTWORDS	eval:botnet_clientwords()
score		BOTNET_CLIENTWORDS	0.01

describe	BOTNET_SERVERWORDS	Hostname contains server-like substrings
header		BOTNET_SERVERWORDS	eval:botnet_serverwords()
score		BOTNET_SERVERWORDS	-0.1