Botnet 0.4 Spam Assassin plugin

Scott Silva ssilva at sgvwater.com
Tue Nov 28 00:41:05 GMT 2006 

Furnish, Trever G spake the following on 11/27/2006 4:07 PM:
>> -----Original Message-----
>> From: mailscanner-bounces at lists.mailscanner.info 
>> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf 
>> Of John Rudd
>> Sent: Monday, November 27, 2006 6:27 PM
>> To: MailScanner discussion
>> Subject: Re: Botnet 0.4 Spam Assassin plugin
>>
>> Furnish, Trever G wrote:
>>> But the point is that if my trusted users authenticate 
>>> themselves using SMTP-AUTH, then someone using your plugin at 
>>> some OTHER site should not block them based on their client 
>>> IP address.  If you don't exclude the first received 'from' 
>>> address, then you're going to blocking well-behaved users who 
>>> send mail through well-behaved relays that have forced the 
>>> user to authenticate.
>>>
>> Only if they trust YOUR mail server.  If they don't have your 
>> server listed in their Spam Assassin Trusted Networks, then 
>> the host their Botnet plugin will look at will be YOUR mail 
>> server, not the address of your client.  Botnet doesn't look 
>> at _EVERY_ received header (the way the RBL functions in SA 
>> do).  It only looks at the untrusted received headers, and 
>> only the first one (after skipping any in the botnet_skip_ip 
>> list).  Looking at _every_ received header, or even every 
>> untrusted received header, wouldn't have made sense.
> 
> Perhaps my confusion is just that: confusion on my part about what you
> mean by "the first one".  When I refered to the "first" received header
> I meant the one that was chronologically oldest.  If you were refering
> instead to the one that is chronologically youngest, then I'd completely
> agree with you.
> 
> Forgive me if I seem obtuse, but I'm looking so closely in preparation
> for deploying the plugin on a site that gets 200,000+ messages per day,
> so I'm hoping to be certain of my understanding first.

Why not install it with a very low score at first to test it with your system?
Then you can see where it hits and where it misses. I just put it in with a
score of 1.0 just to see how it does. One shouldn't be enough to FP something,
but it will give me something to look at in the logs. I left the individual
tests at 0.1.

-- 

MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!

More information about the MailScanner mailing list