Botnet 0.4 Spam Assassin plugin

John Rudd jrudd at ucsc.edu
Tue Nov 28 00:22:51 GMT 2006 

Furnish, Trever G wrote:
>> -----Original Message-----
>> From: mailscanner-bounces at lists.mailscanner.info 
>> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf 
>> Of John Rudd
>> Sent: Monday, November 27, 2006 6:27 PM
>> To: MailScanner discussion
>> Subject: Re: Botnet 0.4 Spam Assassin plugin
>>
>> Furnish, Trever G wrote:
>>> But the point is that if my trusted users authenticate 
>>> themselves using SMTP-AUTH, then someone using your plugin at 
>>> some OTHER site should not block them based on their client 
>>> IP address.  If you don't exclude the first received 'from' 
>>> address, then you're going to blocking well-behaved users who 
>>> send mail through well-behaved relays that have forced the 
>>> user to authenticate.
>>>
>> Only if they trust YOUR mail server.  If they don't have your 
>> server listed in their Spam Assassin Trusted Networks, then 
>> the host their Botnet plugin will look at will be YOUR mail 
>> server, not the address of your client.  Botnet doesn't look 
>> at _EVERY_ received header (the way the RBL functions in SA 
>> do).  It only looks at the untrusted received headers, and 
>> only the first one (after skipping any in the botnet_skip_ip 
>> list).  Looking at _every_ received header, or even every 
>> untrusted received header, wouldn't have made sense.
> 
> Perhaps my confusion is just that: confusion on my part about what you
> mean by "the first one".  When I refered to the "first" received header
> I meant the one that was chronologically oldest.  If you were refering
> instead to the one that is chronologically youngest, then I'd completely
> agree with you.

By "first one" I mean the one that is closest to the top of the message. 
  The chronologically youngest one.


> Forgive me if I seem obtuse, but I'm looking so closely in preparation
> for deploying the plugin on a site that gets 200,000+ messages per day,
> so I'm hoping to be certain of my understanding first.
> 
> In the following message headers, which one will Botnet look at?  The
> one at the bottom of this message would represent an untrusted client
> (12.24.233.2) in my case.  The top two headers are from trusted hosts
> (relay2 and inex3).  The "oldest" header is the one at the bottom.

Well, going with the default config of skipping 127.0.0.1, it would 
probably look at:

> Received: (from apache at localhost)
> 	by wondious.com (8.13.1/8.13.1/Submit) id kARNvYkG031425;
> 	Mon, 27 Nov 2006 18:57:34 -0500
> 

And I have no idea how SpamAssassin will read that into the Untrusted 
Relays pseudo-header.  If you _don't_ skip nor trust 127.0.0.1, then 
THAT header will be the one Botnet looks at ... and it shouldn't trigger 
a score for it.

More information about the MailScanner mailing list