Botnet 0.4 Spam Assassin plugin

Furnish, Trever G TGFurnish at herffjones.com
Tue Nov 28 00:07:50 GMT 2006 

> -----Original Message-----
> From: mailscanner-bounces at lists.mailscanner.info 
> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf 
> Of John Rudd
> Sent: Monday, November 27, 2006 6:27 PM
> To: MailScanner discussion
> Subject: Re: Botnet 0.4 Spam Assassin plugin
> 
> Furnish, Trever G wrote:
>>But the point is that if my trusted users authenticate 
>>themselves using SMTP-AUTH, then someone using your plugin at 
>>some OTHER site should not block them based on their client 
>>IP address.  If you don't exclude the first received 'from' 
>>address, then you're going to blocking well-behaved users who 
>>send mail through well-behaved relays that have forced the 
>>user to authenticate.
>> 
> 
> Only if they trust YOUR mail server.  If they don't have your 
> server listed in their Spam Assassin Trusted Networks, then 
> the host their Botnet plugin will look at will be YOUR mail 
> server, not the address of your client.  Botnet doesn't look 
> at _EVERY_ received header (the way the RBL functions in SA 
> do).  It only looks at the untrusted received headers, and 
> only the first one (after skipping any in the botnet_skip_ip 
> list).  Looking at _every_ received header, or even every 
> untrusted received header, wouldn't have made sense.

Perhaps my confusion is just that: confusion on my part about what you
mean by "the first one".  When I refered to the "first" received header
I meant the one that was chronologically oldest.  If you were refering
instead to the one that is chronologically youngest, then I'd completely
agree with you.

Forgive me if I seem obtuse, but I'm looking so closely in preparation
for deploying the plugin on a site that gets 200,000+ messages per day,
so I'm hoping to be certain of my understanding first.

In the following message headers, which one will Botnet look at?  The
one at the bottom of this message would represent an untrusted client
(12.24.233.2) in my case.  The top two headers are from trusted hosts
(relay2 and inex3).  The "oldest" header is the one at the bottom.

Received: from relay2.public.herff-jones.com ([192.168.252.241]) by
inex3.herffjones.hj-int with Microsoft SMTPSVC(6.0.3790.1830);
	 Mon, 27 Nov 2006 19:01:22 -0500

Received: from wondious.com (wondious.com [207.250.51.59])
	by relay2.public.herff-jones.com (8.12.11/8.12.11) with ESMTP id
kARNwQGg010874
	for <tgfurnish at herffjones.com>; Mon, 27 Nov 2006 18:58:28 -0500

Received: from wondious.com (localhost.localdomain [127.0.0.1])
	by wondious.com (8.13.1/8.13.1) with ESMTP id kARNvYV7031426
	for <tgfurnish at herffjones.com>; Mon, 27 Nov 2006 18:57:34 -0500

Received: (from apache at localhost)
	by wondious.com (8.13.1/8.13.1/Submit) id kARNvYkG031425;
	Mon, 27 Nov 2006 18:57:34 -0500

Received: from 12.24.233.2
        (SquirrelMail authenticated user trever);
        by wondious.com with HTTP;
        Mon, 27 Nov 2006 18:57:34 -0500 (EST)

More information about the MailScanner mailing list