Hosting Provided By

RE: Botnet 0.8 Plugin is available (FINALLY!!!)

From: hanz <makmur(at)cs.rutgers.edu>
Date: Fri Sep 28 2007 - 16:30:51 EDT

Thanks for confirming how botnet works. This is exactly the problem!

Botnet.pm is only checking the LAST IP and not the FIRST in the example email.

The first IP in the list is a definite botnet source but botnet.pm does not detect this as a botnet email.

hanz

Jason Bertoch [Electronet] wrote:
>
> On Friday, September 28, 2007 4:06 PM hanz wrote:
>

>> 
>> looking at the debug code, I notice that botnet,pm version 0.8 is only
>> checking the last server IP and not all IPs in the path.
>>

>
> A botnet sends mail directly from the infected source, rather than relay
> it via
> the ISP's mail server. Any previous received headers would be forged so
> there's
> no point in checking them.
>
>
> Jason
>
>
>

-- 
View this message in context: 
http://www.nabble.com/Botnet-0.8-Plugin-is-available-%28FINALLY%21%21%21%29-tf4221965.html#a12948014
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Received on Fri Sep 28 16:31:29 2007

This message: [ Message body ]
Next message: James E. Pratt: "RE: Botnet 0.8 Plugin is available (FINALLY!!!)"
Previous message: Jason Bertoch: "RE: Botnet 0.8 Plugin is available (FINALLY!!!)"
In reply to: Jason Bertoch: "RE: Botnet 0.8 Plugin is available (FINALLY!!!)"
Next in thread: James E. Pratt: "RE: Botnet 0.8 Plugin is available (FINALLY!!!)"
Reply: James E. Pratt: "RE: Botnet 0.8 Plugin is available (FINALLY!!!)"
Reply: Jari Fredriksson: "Re: Botnet 0.8 Plugin is available (FINALLY!!!)"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Sat Oct 27 2007 - 22:07:05 EDT