Hello, Looking at recent botnet spam, comparing messages from one day to the next, I see new URL's being advertised that resolve to the same IP address as ones in the past. Eg. some at http://pastie.org/9525224
The first of those was already on URIBL/RBL lists when it hit, but the others were not - they all resolve to the same IP address. The message are hitting BAYES_50, on fairly well trained databases. I dug around some and as best I can tell, SpamAssassin does not resolve the IP addresses of URL's and add them to Bayes when training, is that correct? Would it not make sense to do so? I could write a program to extract url's and add a X-URL-IP header or something which bayes could use, but would this not be useful enough to be in the normal part of training? Also in the discussion, am I correct that a spamassassin "rule" wouldn't be what does that, you would have to write a plugin? Thanks, Jesse -- Jesse Norell Kentec Communications, Inc. 970-522-8107 - www.kci.net
