See below for content. I forgot to send this to the list.
John Rudd wrote:
Thomas Bolioli wrote:
It seems to have an issue with mail sent through forwarders like
alumni accounts and one mail type systems. I am sending you a note
off line with the details.
No... it doesn't look that way at all.
If you read the spam report headers, it clearly states what the
problem is with _BOTH_ of the messages you sent me:
* 0.1 BOTNET_BADDNS Relay doesn't have full circle DNS
BOTNET is triggering because the relay which is submitting the message
to you doesn't have full circle DNS (the hostname returned by the PTR
lookup doesn't resolve back to the IP address that is submitting the
message). It's not because BOTNET has a problem with mail forwarding
services (not indicated at all by the first message you sent me), nor
is it because it's a server initiated message (the second message; the
presence of BOTNET_SERVERWORDS should have scored -0.1, and would have
served to prevent BOTNET_CLIENT from triggering ... which it did:
BOTNET_CLIENT doesn't show up in that message's spam report).
In that regard, neither of these is a false positive. BOTNET is told
to flag messages that have "Bad DNS" configurations, and these two
mail relays have bad dns configurations, so BOTNET flagged them.
I can't tell you if the messages themselves were spam or not... the
2nd one definitely looks like spam to me, but the
sender/recipient/subject of the first one doesn't look like spam. If
you say that they're ham, then I would give you a few courses of action:
1) add the domain name in a "botnet_pass_domains" entry in Botnet.cf:
For the first message:
*
[botnet_baddns,ip=198.212.10.108,rdns=permemail05.alumniconnections.com]
becomes:
botnet_pass_domains alumniconnections\.com
For the second message:
* [botnet_baddns,ip=208.66.204.41,rdns=mail31.uptilt.com]
becomes:
botnet_pass_domains uptilt\.com
2) for the second message, either do something like the above, or add
the IP address, in the botnet report, to Botnet.cf as a botnet_pass_ip:
For the first message:
*
[botnet_baddns,ip=198.212.10.108,rdns=permemail05.alumniconnections.com]
becomes:
botnet_pass_ip ^198\.212\.10\.108$
For the second message:
* [botnet_baddns,ip=208.66.204.41,rdns=mail31.uptilt.com]
becomes:
botnet_pass_ip ^208\.66\.204\.41$
3) send email to abuse@ hostmaster@ and postmaster@ each of the
domains, showing them the headers of the message they sent you,
including the spam report headers, and informing them that their DNS
misconfigurations make their mail servers appear to be potential spam
sources, and that they should fix this by having the hostnames
returned by any of their PTR records actually resolve back to the IP
address that the PTR record is attached to.
IMO: the 3rd one is the thing that should happen (the mail servers
should have their DNS configurations fixed). I'll think about adding
alumniconnections.com to the centrally distributed Botnet.cf. But,
given the content of the message from uptilt.com, I really don't think
I'd add them to the centrally distributed Botnet.cf.
I agree that the third should happen but I am a little confused. Why are
these failing rdns lookups?
I do the lookups and I get this:
Sailfish:~ tbolioli$ host permemail05.alumniconnections.com
permemail05.alumniconnections.com has address 198.212.10.108
Sailfish:~ tbolioli$ host 198.212.10.108
108.10.212.198.in-addr.arpa domain name pointer
permemail05.alumniconnections.com.
Sailfish:~ tbolioli$ host mail31.uptilt.com
mail31.uptilt.com has address 208.66.204.41
Sailfish:~ tbolioli$ host 208.66.204.41
41.204.66.208.in-addr.arpa domain name pointer mail31.uptilt.com.
Sailfish:~ tbolioli$ host 208.66.204.40
Is there something I am missing or that I am doing wrong in my lookups?
I want to get these entities to change but I am not sure what to tell
them to do.
Thanks,
Tom
