Hi Charles, Received: from [78.97.185.89] (unknown [78.97.185.89]) >> Message-ID: <krszdjkabfqdkcf.iodbkvqhqtyymyw83588989...@[78.97.185.89]> >> > > Do they all have message ID's that include the IP?
Yeah, great, it looks like they all do. Would something like this work? header MYMSGIP Message-ID =~ /78.97.185.89/ score MYMSGIP 0.3 describe MYMSGIP Message-ID from botnet Can someone help to write a rule that wildcards this safely? > Also give a bit mroe score to the RDNS rules.... Yeah, great idea. It's currently only 0.1. I also see BOTNET_NORDNS in Botnet.cf, but it isn't being triggered. It's also weighted at 0.0. Is there a reason for this? > You also might want to block that line that says "if picture is blocked". There's a couple of variations, but this also looks like it would work well. Thanks, Alex