Hi Charles,

Received: from [78.97.185.89] (unknown [78.97.185.89])
>> Message-ID: <krszdjkabfqdkcf.iodbkvqhqtyymyw83588989...@[78.97.185.89]>
>>
>
> Do they all have message ID's that include the IP?


Yeah, great, it looks like they all do. Would something like this work?

header     MYMSGIP    Message-ID =~ /78.97.185.89/
score       MYMSGIP    0.3
describe   MYMSGIP    Message-ID from botnet

Can someone help to write a rule that wildcards this safely?

> Also give a bit mroe score to the RDNS rules....

Yeah, great idea. It's currently only 0.1.

I also see BOTNET_NORDNS in Botnet.cf, but it isn't being triggered. It's
also weighted at 0.0. Is there a reason for this?

> You also might want to block that line that says "if picture is blocked".

There's a couple of variations, but this also looks like it would work well.

Thanks,
Alex

Reply via email to