Andy Spiegl wrote:
...I wonder how to deal with the cases where there is a legitimate internal mailserver behind dialup-IPs. There are quite a few small companies that have a small home office network behind a dialup DSL and run an internal mailserver which relays external mail to the mailserver of their provider which then delivers to the destination.That seems perfectly okay to me and very distinct from the botnet case where mails from dialup-IPs are sent _directly_ to the destination MX. But the BOTNET rules don't differentiate these two cases. What do you think how to deal with that? How do YOU deal with it? I'd really hate to lower the BOTNET scores but otoh if it hits legit mailservers too....? Thanks, Andy. PS: Shouldn't the BOTNET_SOHO rule avoid a high BOTNET score in these cases? Or do I have to set the score for BOTNET_SOHO manually???
The situation you're talking about is exactly what BOTNET_SOHO is meant to handle. Those soho type mail servers that _cannot_ get their ISP to give them a static IP address with proper DNS for their mail domain.
When you're just using the BOTNET rule directly, not as a meta-rule, the BOTNET_SOHO code is called internally, so it should automatically kick in an exempt a host from BOTNET if it appears to be a soho type mail server. But it's difficult to detect that.
You only need to set a score for BOTNET_SOHO if you're using BOTNET as a metarule.
