Thomas Bolioli wrote:
It seems to have an issue with mail sent through forwarders like alumni
accounts and one mail type systems. I am sending you a note off line
with the details.
No... it doesn't look that way at all.
If you read the spam report headers, it clearly states what the problem
is with _BOTH_ of the messages you sent me:
* 0.1 BOTNET_BADDNS Relay doesn't have full circle DNS
BOTNET is triggering because the relay which is submitting the message
to you doesn't have full circle DNS (the hostname returned by the PTR
lookup doesn't resolve back to the IP address that is submitting the
message). It's not because BOTNET has a problem with mail forwarding
services (not indicated at all by the first message you sent me), nor is
it because it's a server initiated message (the second message; the
presence of BOTNET_SERVERWORDS should have scored -0.1, and would have
served to prevent BOTNET_CLIENT from triggering ... which it did:
BOTNET_CLIENT doesn't show up in that message's spam report).
In that regard, neither of these is a false positive. BOTNET is told to
flag messages that have "Bad DNS" configurations, and these two mail
relays have bad dns configurations, so BOTNET flagged them.
I can't tell you if the messages themselves were spam or not... the 2nd
one definitely looks like spam to me, but the sender/recipient/subject
of the first one doesn't look like spam. If you say that they're ham,
then I would give you a few courses of action:
1) add the domain name in a "botnet_pass_domains" entry in Botnet.cf:
For the first message:
* [botnet_baddns,ip=198.212.10.108,rdns=permemail05.alumniconnections.com]
becomes:
botnet_pass_domains alumniconnections\.com
For the second message:
* [botnet_baddns,ip=208.66.204.41,rdns=mail31.uptilt.com]
becomes:
botnet_pass_domains uptilt\.com
2) for the second message, either do something like the above, or add
the IP address, in the botnet report, to Botnet.cf as a botnet_pass_ip:
For the first message:
* [botnet_baddns,ip=198.212.10.108,rdns=permemail05.alumniconnections.com]
becomes:
botnet_pass_ip ^198\.212\.10\.108$
For the second message:
* [botnet_baddns,ip=208.66.204.41,rdns=mail31.uptilt.com]
becomes:
botnet_pass_ip ^208\.66\.204\.41$
3) send email to abuse@ hostmaster@ and postmaster@ each of the domains,
showing them the headers of the message they sent you, including the
spam report headers, and informing them that their DNS misconfigurations
make their mail servers appear to be potential spam sources, and that
they should fix this by having the hostnames returned by any of their
PTR records actually resolve back to the IP address that the PTR record
is attached to.
IMO: the 3rd one is the thing that should happen (the mail servers
should have their DNS configurations fixed). I'll think about adding
alumniconnections.com to the centrally distributed Botnet.cf. But,
given the content of the message from uptilt.com, I really don't think
I'd add them to the centrally distributed Botnet.cf.
