On Wed, 14 Mar 2012, David B Funk wrote:
One clue: "X-Originating-IP: [41.189.207.189]"
Check the various RBL hits on that address. ;)
Are there existing plugins for this?
Is there a way to check a range to see if it's part of a known
blacklisted botnet?
The "cbl.abuseat.org" RBL explicitly lists infected/bot-net machines.
(which does list that IP addr). So mail that contains a CBL listed
ip addr anywhere in its headers is suspect.
I forgot, the Spamhaus XBL list contains the CBL list (plus the
NJABL Open Proxy list) so it's the thing to use for this kind of
check (particularly if you've got a spamhaus data-feed ;).
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
