We have found Botnet to be very helpful in trapping spam generated by
misbehaving home computers and office workstations. So we want to avoid making
changes that could reduce it's effectiveness.
However, we are having a problem with it also catching legitimate email sent
from webmail hosts. The "untrusted" relay that is triggering the test looks
like this example.
Received: from rbn1s-216-180-93-118.adsl.hiwaay.net
(rbn1s-216-180-93-118.adsl.hiwaay.net [216.180.93.118]) by
mail.homefreemail.com (Horde Framework) with HTTP; Fri, 23 Jan 2009
16:03:43 -0600
And we can see what happens when we run in debug mode.
...
[538] dbg: Botnet: starting
[538] dbg: Botnet: no trusted relays
[538] dbg: Botnet: Skipped ip 192.168.0.5
[538] dbg: Botnet: get_relay good RDNS
[538] dbg: Botnet: IP is '216.180.93.118'
[538] dbg: Botnet: RDNS is 'rbn1s-216-180-93-118.adsl.hiwaay.net'
[538] dbg: Botnet: HELO is 'rbn1s-216-180-93-118.adsl.hiwaay.net'
[538] dbg: Botnet: sender 'andydor...@comehome.net'
[538] dbg: Botnet: hit (client,ipinhostname,clientwords)
[538] dbg: rules: ran eval rule BOTNET ======> got hit (1)
What we would like Botnet to do is recognize that this is an HTTP transaction,
not smtp, and hence not hit on it.
We were first wondering if anyone else has encountered this issue and possibly
there is a fix we are not aware of?
Otherwise, we would be willing to give a shot at a patch to handle this issue.
Just did not want to re-invent the wheel.
Thanks,
--
Andy Dorman
Ironic Design, Inc.
