Jonas Eckerman wrote:
Rob Mangiafico wrote:
Spoke too soon on the false positives. Had it hit an ebay and amazon
email for a user. Headers below:
Thoughts?
Some configuration might be in order.
Since the plugin is very new you should probably give it some time
before considering the default config anywhere near optimal. :-)
Received: from mx29.sjc.ebay.com (mxpool14.ebay.com [66.135.197.20])
by XXX (8.11.6/8.11.6) with ESMTP id kAS2PGV00414
for <XXX>; Mon, 27 Nov 2006 21:25:16 -0500
Put "mxpool" in botnet_serverwords or remove "pool" from
botnet_clientwords?
Received: from smtp-out-4101.amazon.com (207-171-180-184.amazon.com
[207.171.180.184])
by XXX (8.11.6/8.11.6) with ESMTP id kAS2XrV04185
for <XXX>; Mon, 27 Nov 2006 21:33:53 -0500
This was ugly, but you could put "amazon\.com" in botnet_serverwords to
avoid it.
That one wont work, because the regex doesn't look at "the registered
domain + tld" (ie. amazon.com). Adding "amazon\.com" to
botnet_serverwords would exempt "amazon.com.amazon.com" but not
"*.amazon.com".
The only way to exempt the amazon one would be to:
a) have me add a "domains to exempt" config, which means anyone who puts
that as the domain in their PTR record can abuse it (but it might be
worth it, as it would have to be done by the person who controls the
RDNS for that host, and thus is still out of the reach of the botnet hacker)
b) add that IP address, or IP address block (don't know how many of the
related IP addresses are owned by amazon or ebay) to botnet_pass_ip.
Or you could just trust SpamAssassin scoring to work as intended in this
case. :-)
(A false positive by *one* rule should never result in a false positive
for the mail unless that one rule is very discriminating.)
Regards
/Jonas
/Jonas
