Thanks for confirming how botnet works. This is exactly the problem! Botnet.pm is only checking the LAST IP and not the FIRST in the example email.
The first IP in the list is a definite botnet source but botnet.pm does not detect this as a botnet email. hanz Jason Bertoch [Electronet] wrote: > > On Friday, September 28, 2007 4:06 PM hanz wrote: > >> >> looking at the debug code, I notice that botnet,pm version 0.8 is only >> checking the last server IP and not all IPs in the path. >> > > A botnet sends mail directly from the infected source, rather than relay > it via > the ISP's mail server. Any previous received headers would be forged so > there's > no point in checking them. > > > Jason > > > -- View this message in context: http://www.nabble.com/Botnet-0.8-Plugin-is-available-%28FINALLY%21%21%21%29-tf4221965.html#a12948014 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
