Botnet FP

Thu, 01 Feb 2007 08:20:52 -0800 

I'm running SA v3.1.7, under Perl v5.8.5 on a RedHat ES4 box.  I call
spamc from each user's ~/.procmailrc.

I recently started using Botnet (v0.7) on several servers, and find
it's terrific.  But today, I saw my first false positive.  Here is the
report and the mail header:

Content analysis details:   (5.0 points, 5.0 required)

 pts rule name              description
---- ---------------------- --------------------------------------------------
 5.0 BOTNET                 Relay might be a spambot or virusbot
[botnet0.7,ip=66.251.54.6,hostname=outbox2.onceanddone.com,maildomain=onceanddone.com,baddns]
 0.0 UNPARSEABLE_RELAY      Informational: message has unparseable relay lines

Return-Path: <[EMAIL PROTECTED]>
X-Original-To: [EMAIL PROTECTED]
Delivered-To: [EMAIL PROTECTED]
Received: from inbox.onceanddone.com (unknown [66.251.54.6])
        by linux19648.domain.tld (Postfix) with ESMTP id 70EF32AF83
        for <[EMAIL PROTECTED]>; Wed, 31 Jan 2007 13:34:05 -0600 (CST)
Received: from barryxp
        by inbox.onceanddone.com (Merak 8.9.1) with SMTP id KUN73400
        for <[EMAIL PROTECTED]>; Wed, 31 Jan 2007 14:34:00 -0500
From: "Some Body" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Subject: Certificate not sent
Date: Wed, 31 Jan 2007 14:34:04 -0500
Message-ID: <[EMAIL PROTECTED]>
MIME-Version: 1.0
Content-Type: text/plain;
        charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3028
X-Virus-Status: No
X-Virus-Checker-Version: clamassassin 1.2.3 with clamdscan / ClamAV 
0.88.7/2508/Wed Jan 31 10:42:50 2007

If I read this right, the server HELOed as inbox.onceanddone.com
(which resolves to 141.154.88.6), but the actual IP of the server was
66.251.54.6, which reverses to outbox2.onceanddone.com.

- Is that a screwy server setup?

For the nonce, I whitelisted the domain (I know ...) to get the mail
to the user.  What should I do in the long term?

- Reduce the BOTNET score?

- Add onceanddone.com to botnet_pass_domains?

- Send a nastygram to [EMAIL PROTECTED]

Cheers,
-- 
Bob McClure, Jr.             Bobcat Open Systems, Inc.
[EMAIL PROTECTED]             http://www.bobcatos.com
The mind of sinful man is death, but the mind controlled by the Spirit
is life and peace.  Romans 8:6 (NIV)

Reply via email to