Re: Hmm - a server I manage is triggering Botnet

Sat, 27 Jan 2007 20:34:23 -0800 

Josh Trutwin wrote:

On Sat, 27 Jan 2007 17:08:44 -0800
John Rudd <[EMAIL PROTECTED]> wrote:


Thomas Bolioli wrote:
Yeah, this is the problem with the Botnet ruleset. I had to stop 
using it. It assumes that one IP, one domain with regards to
mail. If your mail server handles multiple domains, whichever
domain the rDNS points to will be fine. Any others will fire off.

That's not even close to true (the assumptions nor the results).

If rDNS and DNS are properly set up for the machine, then it wont
matter what virtual domains are hosted on the system.  As long as
the rDNS leads back to a valid DNS record, which leads back to the
same IP, it wont matter if that rDNS machines that mail domain, a
different mail domain, or no mail domain at all.


Hmm - in my case my rDNS setup seems ok though except for the fact
that 2 octets are in my ptr record which I'll be fixing tonight.  But
that's not the rule I was tripping.  Here's another example from a
test email sent from one of my virtual domains netbits.us:

 5.0 BOTNET                 Relay might be a spambot or virusbot
 [botnet0.7,ip=209.18.107.89,hostname=netbits.us,maildomain=netbits.us,baddns]

<snip>
If you think there is a case where Botnet breaks down for multiple/virtual mail domains, where DNS and rDNS are properly set 
up, put your money where your mouth is and give a real world
example.  Give the IP address(es), and the mail domains that go
with them that you think will have a problem.


Personally, I like Botnet, but it does seem like I have a real world
example where my rDNS is setup fine.  Unless I missed something?



% host 209.18.107.89
89.107.18.209.in-addr.arpa domain name pointer ptr-20989.fastconcepts.net.

% host ptr-20989.fastconcepts.net
Host ptr-20989.fastconcepts.net not found: 3(NXDOMAIN)
That would seem to me to indicate that "baddns" is valid. It may be that from some angles/locations/servers, the forward DNS for fastconcepts.net isn't working properly. Or at least not for ptr-20989.fastconcepts.net.
(and, I think ipshostname isn't triggering for it because in 0.7 it only looks at consecutive octets)

Reply via email to