SM wrote: > "Botnet Plugin" sounds like a plugin that detect botnets ... If > Rasmus is finding that many false positives, then he's using the wrong > tools.
No. This is just due to the fact that, unfortunately, some mail servers and IPs (which send desired and solicited messages) are somewhat incorrectly configured. It turns out that a distributor receiving legitimate business e-mail from vendors & customers in such places as Africa, South America, Asia... all over the place... is going to see a disproportionately larger amount of messages sent from IPs which either: (a) would not do so well with BotNet's analysis ...OR... (b) which are mixed sources of ham/spam... but simply don't have a high enough volume of "ham" to stay off all the blacklists... particularly some blacklists. This has nothing to do with Rasmus's tools.. other than the fact that (I surmise) he is probably now forced, given that situation, back off of his scoring of DNSBls and rely more on content filtering in comparison to those whose e-mail is mostly US/Europe-based. -- Rob McEwen http://dnsbl.invaluement.com/ r...@invaluement.com +1 (478) 475-9032