Botnet 0.4 Spam Assassin plugin

[René Berber]

John Rudd wrote:

> Scott Silva wrote:
>> Wayne spake the following on 11/27/2006 12:27 PM:
>>> At 14:17 27/11/2006, you wrote:
>>>
>>> Do not know if I am alone with this problem but I have had to remove
>>> BOTNET as it was doing it's job too well - it was deleting all mail
>>> which originated from genuine ADSL addresses I even tried adding these
>>> addresses to white-lists and other files saying not to be read as spam -
>>> they still were. If the problem of genuine use of adsl addresses can be
>>> addressed I will try again.
>>>
>> That is a problem. There is so little "genuine" use of ADSL for mail
>> that the
>> author might not have took that into account. I am very resistant to
>> accept
>> e-mail from ADSL or cable connections because it is 99.9% spam, and the
>> originator should be using a smarthost on their ISP.
>>
> 
> I did take it into account.  I'm of the "they should be using their
> Corporate/ISP's mail server, or get their DNS fixed" opinion.  Or use a
> hosted email server that has better RDNS if their ISP is lame.

Question: If someone sends a message from home to their workplace, there is only
one relay line (two if you count the local delivery line which usually does not
have an IP address) and it contains a ADSL address, does your plugin score on
that relay line or skips?

The point here being that if it scores it gives a false score, just like the
useless half point I see SA adds to that line by using RBLs that list dynamic
addresses... the first relay line should be ignored, and that makes bot-net
detection ineffective.

> My means of mitigating the problem are the "botnet_pass_auth",
> "botnet_skip_ip", and "botnet_pass_ip" options, which allow you to
> handle known good senders.

Not very usefull since dynamic IP addresses are "dynamic".

> Or you can set the score for BOTNET_CLIENT to 0.  That will, however,
> significantly reduce the effectiveness of the plugin.
-- 
René Berber