RE: Botnet 0.8 Plugin is available (FINALLY!!!)

>> -----Original Message-----
>> From: hanz [mailto:makmur@cs.rutgers.edu]
>> Sent: Friday, September 28, 2007 4:31 PM
>> To: users@spamassassin.apache.org
>> Subject: RE: Botnet 0.8 Plugin is available (FINALLY!!!)
>>
>>
>> Thanks for confirming how botnet works. This is exactly the problem!
>>
>> Botnet.pm is only checking the LAST IP and not the FIRST in the
>> example
>> email.
>>
>> The first IP in the list is a definite botnet source but botnet.pm
>> does not
>> detect this as a botnet email.
>>
>> hanz
>>
>>
>> Jason Bertoch [Electronet] wrote:
>> >
>> > On Friday, September 28, 2007 4:06 PM hanz wrote:
>> >
>> >>
>> >> looking at the debug code, I notice that botnet,pm version 0.8 is
>> only
>> >> checking the last server IP and not all IPs in the path.
>> >>
>> >
>> > A botnet sends mail directly from the infected source, rather than
>> relay
>> > it via
>> > the ISP's mail server. Any previous received headers would be
>> forged so
>> > there's
>> > no point in checking them.
>> >
>> >
>> > Jason
>> >
>> >
>> >
>>
>> --
>> View this message in context:

http://www.nabble.com/Botnet-0.8-Plugin-
>> is-available-%28FINALLY%21%21%21%29-tf4221965.html#a12948014
>> Sent from the SpamAssassin - Users mailing list archive at
Nabble.com.

Yes, but in most cases, it is the LAST ip that is part of the botnet (ie, it connected to your server LAST.) - checking all of the IP's I believe would be counterproductive and just add to false-positives. Btw - it appears you are using botnet in the wrong place if this email only traversed Rutgers.edu servers, minus the first bot-net IP - it should be running on your internet-facing relay, not internal relays... that's just weird IMO...

Regards,
jamie Received on Fri Sep 28 16:38:53 2007