Re: BOTNET is great but...

Fri, 27 Apr 2007 16:53:35 -0700 

John Rudd wrote:

> When you're just using the BOTNET rule directly, not as a meta-rule, the
> BOTNET_SOHO code is called internally, so it should automatically kick in
> an exempt a host from BOTNET if it appears to be a soho type mail server.

I'm not sure I understand what you mean by "using as a meta-rule".
Do you mean it should work if I just write:
  describe    BOTNET          Relay might be a spambot or virusbot
  header      BOTNET          eval:botnet()
  score       BOTNET          3.5

(That's the default in Botnet.cf)

If so, I don't understand why for example my own mails get scored like
this:  (I've got a soho mailserver too)

 X-Spam-Checker-Version: SpamAssassin 3.1.7-deb (2006-10-05) on 
condor.int.spiegl.de
 X-Spam-Scores: AWL=-1.933,BAYES_00=-2.599,BOTNET=3.5,FORGED_RCVD_HELO=0.135

These are the corresponding header lines:
 Received: from pop.XXXX.de [80.237.184.21]
        by condor.int.spiegl.de with POP3 (fetchmail-6.3.8)
        for <[EMAIL PROTECTED]> (single-drop); Tue, 24 Apr 2007 20:48:13 +0200 
(CEST)
 Received: from condor.int.spiegl.de (p57988fca.dip.t-dialin.net 
[87.152.143.202])
         by sienna.XXXX.de  via kasmail (3.1)
         id <1IgQ30-4tK-1-sienna>; Tue, 24 Apr 2007 18:47:30 GMT
 Received: from condor.int.spiegl.de ([EMAIL PROTECTED] [127.0.0.1])
        by condor.int.spiegl.de (8.13.8/8.13.8/Debian-3) with ESMTP id 
l3OIlTIb032652
        (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT);
        Tue, 24 Apr 2007 20:47:29 +0200
 Received: (from [EMAIL PROTECTED])
        by condor.int.spiegl.de (8.13.8/8.13.8/Submit) id l3OIlTTk032647;
        Tue, 24 Apr 2007 20:47:29 +0200

My internal mailserver (condor.int.spiegl.de, 87.152.143.202) delivered the
mail via SMTP AUTH to the mailserver of my provider, and then a bit later I
fetched the mail from the popserver and ran SpamAssassin.
If Botnet checks whether the providers mailserver is an MX of spiegl.de,
that's the case:
 spiegl.de mail is handled by 10 mx1.spiegl.de. (82.165.28.56)
 spiegl.de mail is handled by 10 mx2.spiegl.de. (80.237.158.92)
 spiegl.de mail is handled by 10 mx3.spiegl.de. (80.237.206.21)
 spiegl.de mail is handled by 10 mx4.spiegl.de. (80.237.184.21)

sienna.XXXX.de has address 80.237.184.21  (-> mx4.spiegl.de)
What else could be wrong?

And I can't get rid of the FORGED_RCVD_HELO either. :-(
condor.int.spiegl.de resolves to the dynamic IP, as it should.
What else is necessary?

Thanks,
 Andy.

-- 
 2 is not equal to 3  -- not even for large values of 2.

Reply via email to