Josh Trutwin wrote:
On Fri, 26 Jan 2007 16:43:17 -0800
John Rudd <[EMAIL PROTECTED]> wrote:
X-Envelope-From: [EMAIL PROTECTED]
Received: from netbits.us ([209.18.107.89])
by 0 ([192.168.0.3])
with SMTP via SSL; 25 Jan 2007 23:47:53 -0000
That would seem to be your problem. I bet SA thinks that means
the machine has no reverse DNS. And netbits.us has a completely
different IP address than that.
SA or Botnet?
SA. SA is the one that interprets the headers. Botnet reads the
interpreted headers.
This is only scoring a 5.1 though - I posted the SA report in a
previous message, my only bad hit is from Botnet:
Content analysis details: (5.1 points, 5.0 required)
0.0 DK_POLICY_SIGNSOME Domain Keys: policy says domain signs
some mails
5.0 BOTNET Relay might be a spambot or
virusbot
[botnet0.7,ip=209.18.107.89,hostname=netbits.us,maildomain=davidtrutwin.com,baddns]
1.5 RCVD_NUMERIC_HELO Received: contains an IP address used
for HELO
-0.2 BAYES_40 BODY: Bayesian spam probability is 20
to 40% [score: 0.3696]
-1.2 AWL AWL: From: address is in the auto
white-list
I'm curious to see if changing the PTR records will help.
Josh
Yeah, this is the problem with the Botnet ruleset. I had to stop using
it. It assumes that one IP, one domain with regards to mail. If your
mail server handles multiple domains, whichever domain the rDNS points
to will be fine. Any others will fire off. There is an exception list
built into the plugin but I am philosophically opposed to manually
managing lists like that on a per machine basis. If you want to stop the
bot net mails heading into your inbox, make sure your RBL lookups are
working. Those are much better than the botnet plugin.
