Thanks for the explanation and quick replies from everyone. I was definitely wrong in my assumption on how botnet works.
I think I understand the issue now and my problem can easily be fixed by skipping the IPs or my internal forwarders. That is adding the following to botnet.cf fixed it. botnet_skip_ip ^128\.6\.72\.254$ botnet_skip_ip ^128\.6\.72\.72$ botnet_skip_ip ^128\.6\.31\.85$ botnet_skip_ip ^128\.6\.31\.86$ Hanz John Rudd wrote: > > hanz wrote: > >> >> I believe if botnet.pm is checking all the path the mail went thru like >> how >> dnsbl is used, botnet will get more accurate. > > No, it would throw a lot more false-positives. Every end user > (corporate, home, etc.) on a dynamic IP address would suddenly get their > email flagged by botnet, because the originating host matches the botnet > conditions. > > > Consider this senario: > > a) user on dynamic IP sends email to their ISP's mail server > b) ISP's mail server submits message to your mail server > > In your suggested processing, this would generate a false positive: the > message would be marked as a potential botnet even though the message > was handled in a legitimate manner (message went out through the ISP's > mail server instead of coming _directly_ from the dynamic host). > > Botnet specifically only tries to look at the host that submitted the > message to your environment because of this. > > > So you might ask "what about ISPs that aren't policing their network, to > keep botnets from relaying through them?" Those can much more easily > be targeted by DSBLs than trying to DSBL every little dynamic host > (though, pbl.spamhaus.org seems to be trying to do that). In one way, > Botnet tries to encourage a bottle-neck of mail traffic through each > provider's mail server, partially to make it easier to manage all of the > end points recipient postmasters have to deal with. > > > So, basically, I wont be changing botnet to do what you're asking for. > I consider it to be a rather bad idea. Though, you could fork the code, > call it something else, and make your own that behaves however you want. > > > -- View this message in context: http://www.nabble.com/Botnet-0.8-Plugin-is-available-%28FINALLY%21%21%21%29-tf4221965.html#a12987885 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
