>> -----Original Message----- >> From: hanz [mailto:[EMAIL PROTECTED] >> Sent: Friday, September 28, 2007 4:31 PM >> To: users@spamassassin.apache.org >> Subject: RE: Botnet 0.8 Plugin is available (FINALLY!!!) >> >> >> Thanks for confirming how botnet works. This is exactly the problem! >> >> Botnet.pm is only checking the LAST IP and not the FIRST in the >> example >> email. >> >> The first IP in the list is a definite botnet source but botnet.pm >> does not >> detect this as a botnet email. >> >> hanz >> >> >> Jason Bertoch [Electronet] wrote: >> > >> > On Friday, September 28, 2007 4:06 PM hanz wrote: >> > >> >> >> >> looking at the debug code, I notice that botnet,pm version 0.8 is >> only >> >> checking the last server IP and not all IPs in the path. >> >> >> > >> > A botnet sends mail directly from the infected source, rather than >> relay >> > it via >> > the ISP's mail server. Any previous received headers would be >> forged so >> > there's >> > no point in checking them. >> > >> > >> > Jason >> > >> > >> > >> >> -- >> View this message in context: http://www.nabble.com/Botnet-0.8-Plugin- >> is-available-%28FINALLY%21%21%21%29-tf4221965.html#a12948014 >> Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Yes, but in most cases, it is the LAST ip that is part of the botnet (ie, it connected to your server LAST.) - checking all of the IP's I believe would be counterproductive and just add to false-positives. Btw - it appears you are using botnet in the wrong place if this email only traversed Rutgers.edu servers, minus the first bot-net IP - it should be running on your internet-facing relay, not internal relays... that's just weird IMO... Regards, jamie
