Rob McEwen a écrit : > SM wrote: >> "Botnet Plugin" sounds like a plugin that detect botnets ... If >> Rasmus is finding that many false positives, then he's using the wrong >> tools. > > No. This is just due to the fact that, unfortunately, some mail servers > and IPs (which send desired and solicited messages) are somewhat > incorrectly configured.
Even with the "somewhat" qualifier, I wouldn't say "incorrectly". There is nothing incorrect in vms173003pub.verizon.net. it's an unfortunate choice in these botnet days, but it's as correct as it could be. > It turns out that a distributor receiving > legitimate business e-mail from vendors & customers in such places as > Africa, South America, Asia... all over the place... is going to see a > disproportionately larger amount of messages sent from IPs which either: > > (a) would not do so well with BotNet's analysis > ...OR... > (b) which are mixed sources of ham/spam... but simply don't have a high > enough volume of "ham" to stay off all the blacklists... particularly > some blacklists. > > This has nothing to do with Rasmus's tools.. other than the fact that (I > surmise) he is probably now forced, given that situation, back off of > his scoring of DNSBls and rely more on content filtering in comparison > to those whose e-mail is mostly US/Europe-based. >
