Botnet 0.4 Spam Assassin plugin

John Rudd jrudd at
Mon Nov 27 23:26:37 GMT 2006

Furnish, Trever G wrote:
>> -----Original Message-----
>> From: mailscanner-bounces at 
>> [mailto:mailscanner-bounces at] On Behalf 
>> Of John Rudd
>> Sent: Monday, November 27, 2006 5:41 PM
>> To: MailScanner discussion
>> Subject: Re: Botnet 0.4 Spam Assassin plugin
>> René Berber wrote:
>>> John Rudd wrote:
>> 2) You shouldn't spam scan messages at all if they've come 
>> from an SMTP-AUTH transaction OR make sure that your MTA's 
>> SMTP-AUTH fingerprints are properly recognized by SA and use 
>> the botnet_pass_auth option.
> But the point is that if my trusted users authenticate themselves using SMTP-AUTH, then someone using your plugin at some OTHER site should not block them based on their client IP address.  If you don't exclude the first received 'from' address, then you're going to blocking well-behaved users who send mail through well-behaved relays that have forced the user to authenticate.

Only if they trust YOUR mail server.  If they don't have your server 
listed in their Spam Assassin Trusted Networks, then the host their 
Botnet plugin will look at will be YOUR mail server, not the address of 
your client.  Botnet doesn't look at _EVERY_ received header (the way 
the RBL functions in SA do).  It only looks at the untrusted received 
headers, and only the first one (after skipping any in the 
botnet_skip_ip list).  Looking at _every_ received header, or even every 
untrusted received header, wouldn't have made sense.

I don't know about you, but I don't have anyone outside of my own 
servers (not even the IPs within my own network, but outside of my 
server subnet) listed as "trusted networks".  Therefore, my Botnet 
install will not look at the IP's of your users.  It will only look at 
the IP of your mail server.  It wont care one little bit about the IP 
addresses of your users.

More information about the MailScanner mailing list