Botnet 0.4 Spam Assassin plugin
jrudd at ucsc.edu
Tue Nov 28 00:22:51 GMT 2006
Furnish, Trever G wrote:
>> -----Original Message-----
>> From: mailscanner-bounces at lists.mailscanner.info
>> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf
>> Of John Rudd
>> Sent: Monday, November 27, 2006 6:27 PM
>> To: MailScanner discussion
>> Subject: Re: Botnet 0.4 Spam Assassin plugin
>> Furnish, Trever G wrote:
>>> But the point is that if my trusted users authenticate
>>> themselves using SMTP-AUTH, then someone using your plugin at
>>> some OTHER site should not block them based on their client
>>> IP address. If you don't exclude the first received 'from'
>>> address, then you're going to blocking well-behaved users who
>>> send mail through well-behaved relays that have forced the
>>> user to authenticate.
>> Only if they trust YOUR mail server. If they don't have your
>> server listed in their Spam Assassin Trusted Networks, then
>> the host their Botnet plugin will look at will be YOUR mail
>> server, not the address of your client. Botnet doesn't look
>> at _EVERY_ received header (the way the RBL functions in SA
>> do). It only looks at the untrusted received headers, and
>> only the first one (after skipping any in the botnet_skip_ip
>> list). Looking at _every_ received header, or even every
>> untrusted received header, wouldn't have made sense.
> Perhaps my confusion is just that: confusion on my part about what you
> mean by "the first one". When I refered to the "first" received header
> I meant the one that was chronologically oldest. If you were refering
> instead to the one that is chronologically youngest, then I'd completely
> agree with you.
By "first one" I mean the one that is closest to the top of the message.
The chronologically youngest one.
> Forgive me if I seem obtuse, but I'm looking so closely in preparation
> for deploying the plugin on a site that gets 200,000+ messages per day,
> so I'm hoping to be certain of my understanding first.
> In the following message headers, which one will Botnet look at? The
> one at the bottom of this message would represent an untrusted client
> (184.108.40.206) in my case. The top two headers are from trusted hosts
> (relay2 and inex3). The "oldest" header is the one at the bottom.
Well, going with the default config of skipping 127.0.0.1, it would
probably look at:
> Received: (from apache at localhost)
> by wondious.com (8.13.1/8.13.1/Submit) id kARNvYkG031425;
> Mon, 27 Nov 2006 18:57:34 -0500
And I have no idea how SpamAssassin will read that into the Untrusted
Relays pseudo-header. If you _don't_ skip nor trust 127.0.0.1, then
THAT header will be the one Botnet looks at ... and it shouldn't trigger
a score for it.
More information about the MailScanner