Botnet 0.4 Spam Assassin plugin
ssilva at sgvwater.com
Tue Nov 28 00:41:05 GMT 2006
Furnish, Trever G spake the following on 11/27/2006 4:07 PM:
>> -----Original Message-----
>> From: mailscanner-bounces at lists.mailscanner.info
>> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf
>> Of John Rudd
>> Sent: Monday, November 27, 2006 6:27 PM
>> To: MailScanner discussion
>> Subject: Re: Botnet 0.4 Spam Assassin plugin
>> Furnish, Trever G wrote:
>>> But the point is that if my trusted users authenticate
>>> themselves using SMTP-AUTH, then someone using your plugin at
>>> some OTHER site should not block them based on their client
>>> IP address. If you don't exclude the first received 'from'
>>> address, then you're going to blocking well-behaved users who
>>> send mail through well-behaved relays that have forced the
>>> user to authenticate.
>> Only if they trust YOUR mail server. If they don't have your
>> server listed in their Spam Assassin Trusted Networks, then
>> the host their Botnet plugin will look at will be YOUR mail
>> server, not the address of your client. Botnet doesn't look
>> at _EVERY_ received header (the way the RBL functions in SA
>> do). It only looks at the untrusted received headers, and
>> only the first one (after skipping any in the botnet_skip_ip
>> list). Looking at _every_ received header, or even every
>> untrusted received header, wouldn't have made sense.
> Perhaps my confusion is just that: confusion on my part about what you
> mean by "the first one". When I refered to the "first" received header
> I meant the one that was chronologically oldest. If you were refering
> instead to the one that is chronologically youngest, then I'd completely
> agree with you.
> Forgive me if I seem obtuse, but I'm looking so closely in preparation
> for deploying the plugin on a site that gets 200,000+ messages per day,
> so I'm hoping to be certain of my understanding first.
Why not install it with a very low score at first to test it with your system?
Then you can see where it hits and where it misses. I just put it in with a
score of 1.0 just to see how it does. One shouldn't be enough to FP something,
but it will give me something to look at in the logs. I left the individual
tests at 0.1.
MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!
More information about the MailScanner