Duncan Hill wrote:
On Monday 11 December 2006 16:16, John Rudd wrote:
Duncan Hill wrote:
I just finished a very quick test of the Botnet tool, and the sheer
number of FPs against eBy mail coming from eBay's servers was staggering
- literally every single mail from eBay. It also, for my testing, hit on
a lot of legitimate ham - mostly with BADDNS. I'll run another test
later, but I've got to move on to other things now.
The botnet_pass_domain entry for ebay, in the default Botnet.cf file,
didn't exempt ebay messages from the Botnet rules?
No, they send mail from servers that reverse to emailebay.com. Added that and
things were a bit happier. A mod to the BOTNET rule to check SPF_PASS got
rid of a few other false positives (caveat being nothing stops a spammer from
setting up SFP for pass).
Yes, people should fix their DNS, but it's arguably easier to reconfigure a
plug-in than to make hundreds of ISPs fix their damn DNS entries.
On the other hand, that enables their stupidity, instead of being part
of a group that might grow large enough to force them to behave responsibly.
But, I do understand the practical trade-off.
I'll add emailebay.com to the base cf file.
I'm working on an alternative to SPF_PASS (directly checking the
sender's mail domain's A record and/or MX record to see if it leads back
to the IP addr). I'm not sure how soon I'll get that worked into the
code though. I thought about trusting SPF, but, really, SPF isn't
trustable.
