Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: SpamAssassin: users

Botnet keeps tripping

  

 
SpamAssassin users RSS feed   Index | Next | Previous | View Threaded


jnichols at pbp

Nov 5, 2009, 5:39 PM

Post #1 of 5 (178 views)
Permalink
Botnet keeps tripping
This might be very simple, but Botnet keeps triggering on a local
school district. I THOUGHT that I added it to the pass_domains list
correctly.

Help!

Botnet.cf has the following in it:

botnet_pass_domains amazon\.com # they use IP in Hostname;
dorks
botnet_pass_domains apple\.com # special test case
botnet_pass_domains ebay\.com # pool in hostname
botnet_pass_domains nisdtx\.org # Northwest ISD
botnet_pass_domains ntta\.org # NTTA


The headers that keep getting tripped:

Received: from localhost (localhost [127.0.0.1])
by heap.pbp.net (Postfix) with ESMTP id 76927E41E6
for <jnichols[at]pbp.net>; Tue, 3 Nov 2009 15:35:26 -0600 (CST)
X-Virus-Scanned: amavisd-new at heap.pbp.net
X-Spam-Flag: NO
X-Spam-Score: 5.743
X-Spam-Level: *****
X-Spam-Status: No, score=5.743 tagged_above=-999 required=6
tests=[AWL=-0.313,
BAYES_00=-2.599, BOTNET=5, HTML_MESSAGE=0.001,
HTML_MIME_NO_HTML_TAG=0.097, MIME_HTML_ONLY=1.457, RCVD_IN_BNBL=2,
RDNS_NONE=0.1]
Received: from heap.pbp.net ([127.0.0.1])
by localhost (heap.pbp.net [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id S3FCL7keoDvd for <jnichols[at]pbp.net>;
Tue, 3 Nov 2009 15:35:20 -0600 (CST)
Received: from mail.nisdtx.org (unknown [70.129.99.5])
by heap.pbp.net (Postfix) with ESMTP id D58E8E41E4
for <jnichols[at]pbp.net>; Tue, 3 Nov 2009 15:35:20 -0600 (CST)
Received: from espapp01.nisdtx.org ([10.111.9.24])
by mail.nisdtx.org with ESMTP; Tue, 03 Nov 2009 15:35:18 -0600
Received: from espapp01 ([10.111.9.24]) by espapp01.nisdtx.org with
Microsoft SMTPSVC(6.0.3790.3959);
Tue, 3 Nov 2009 15:35:17 -0600
MIME-Version: 1.0


rwmaillists at googlemail

Nov 5, 2009, 7:28 PM

Post #2 of 5 (160 views)
Permalink
Re: Botnet keeps tripping [In reply to]
On Thu, 5 Nov 2009 19:39:10 -0600
Jonathan Nichols <jnichols[at]pbp.net> wrote:

> This might be very simple, but Botnet keeps triggering on a local
> school district. I THOUGHT that I added it to the pass_domains list
> correctly.

I'm not 100% sure, but I think the issue is that it hits BOTNET because
mail.nisdtx.org has no reverse DNS, and BOTNET uses reverse DNS for
checking pass_domains. The mail.nisdtx.org in the headers is just a
helo, so there's no real evidence for nisdtx.org anywhere in the
headers. The plugin could do its own A-record lookup on mail.nisdtx.org
and verify it against the IP address, but I guess it doesn't.

I suppose you'll have to use the IP address instead. You might also
consider using the SOHO exclusion, which I think might have eliminated
this FP.

i.e. replace the BOTNET definition with

meta BOTNET ( ! BOTNET_SOHO && (BOTNET_CLIENT || BOTNET_BADDNS || BOTNET_NORDNS) )


rwmaillists at googlemail

Nov 5, 2009, 7:56 PM

Post #3 of 5 (160 views)
Permalink
Re: Botnet keeps tripping [In reply to]
On Fri, 6 Nov 2009 03:28:40 +0000
RW <rwmaillists[at]googlemail.com> wrote:


> The mail.nisdtx.org in the headers is
> just a helo, so there's no real evidence for nisdtx.org anywhere in
> the headers. The plugin could do its own A-record lookup on
> mail.nisdtx.org and verify it against the IP address, but I guess it
> doesn't.
>

Actually even if it does, there's a mismatch

Received: from mail.nisdtx.org (unknown [70.129.99.5])


dig +short mail.nisdtx.org
70.129.99.3


jrudd at ucsc

Nov 5, 2009, 9:41 PM

Post #4 of 5 (159 views)
Permalink
Re: Botnet keeps tripping [In reply to]
yeah, RW pretty much hit this one on the head. You're going to need
to exempt it by IP, not by domain name.

On Thu, Nov 5, 2009 at 19:56, RW <rwmaillists[at]googlemail.com> wrote:
> On Fri, 6 Nov 2009 03:28:40 +0000
> RW <rwmaillists[at]googlemail.com> wrote:
>
>
>>                              The mail.nisdtx.org in the headers is
>> just a helo, so there's no real evidence for nisdtx.org anywhere in
>> the headers. The plugin could do its own A-record lookup on
>> mail.nisdtx.org and verify it against the IP address, but I guess it
>> doesn't.
>>
>
> Actually even if it does, there's a mismatch
>
> Received: from mail.nisdtx.org (unknown [70.129.99.5])
>
>
> dig +short mail.nisdtx.org
> 70.129.99.3
>


jnichols at pbp

Nov 6, 2009, 7:00 PM

Post #5 of 5 (146 views)
Permalink
Re: Botnet keeps tripping [In reply to]
D'oh. I didn't catch that one.

Thanks guys.. I'll allow it by IP.. and hopefully get in touch with
the admin to fix their broken DNS.

:D


On Nov 5, 2009, at 11:41 PM, John Rudd wrote:

> yeah, RW pretty much hit this one on the head. You're going to need
> to exempt it by IP, not by domain name.
>
> On Thu, Nov 5, 2009 at 19:56, RW <rwmaillists[at]googlemail.com> wrote:
>> On Fri, 6 Nov 2009 03:28:40 +0000
>> RW <rwmaillists[at]googlemail.com> wrote:
>>
>>
>>> The mail.nisdtx.org in the headers is
>>> just a helo, so there's no real evidence for nisdtx.org anywhere in
>>> the headers. The plugin could do its own A-record lookup on
>>> mail.nisdtx.org and verify it against the IP address, but I guess it
>>> doesn't.
>>>
>>
>> Actually even if it does, there's a mismatch
>>
>> Received: from mail.nisdtx.org (unknown [70.129.99.5])
>>
>>
>> dig +short mail.nisdtx.org
>> 70.129.99.3
>>

SpamAssassin users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact lists@gossamer-threads.com
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.