Andy Spiegl wrote:
John Rudd wrote:
When you're just using the BOTNET rule directly, not as a meta-rule, the
BOTNET_SOHO code is called internally, so it should automatically kick in
an exempt a host from BOTNET if it appears to be a soho type mail server.
I'm not sure I understand what you mean by "using as a meta-rule".
Do you mean it should work if I just write:
describe BOTNET Relay might be a spambot or virusbot
header BOTNET eval:botnet()
score BOTNET 3.5
Yes, that is "using the BOTNET rule directly, and not as a meta-rule".
So it will call the BOTNET_SOHO code automatically. If your config
qualifies for the soho exemption, this will make it happen.
(That's the default in Botnet.cf)
If so, I don't understand why for example my own mails get scored like
this: (I've got a soho mailserver too)
X-Spam-Checker-Version: SpamAssassin 3.1.7-deb (2006-10-05) on
condor.int.spiegl.de
X-Spam-Scores: AWL=-1.933,BAYES_00=-2.599,BOTNET=3.5,FORGED_RCVD_HELO=0.135
These are the corresponding header lines:
Received: from pop.XXXX.de [80.237.184.21]
by condor.int.spiegl.de with POP3 (fetchmail-6.3.8)
for <[EMAIL PROTECTED]> (single-drop); Tue, 24 Apr 2007 20:48:13 +0200
(CEST)
Received: from condor.int.spiegl.de (p57988fca.dip.t-dialin.net
[87.152.143.202])
by sienna.XXXX.de via kasmail (3.1)
id <1IgQ30-4tK-1-sienna>; Tue, 24 Apr 2007 18:47:30 GMT
Received: from condor.int.spiegl.de ([EMAIL PROTECTED] [127.0.0.1])
by condor.int.spiegl.de (8.13.8/8.13.8/Debian-3) with ESMTP id
l3OIlTIb032652
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT);
Tue, 24 Apr 2007 20:47:29 +0200
Received: (from [EMAIL PROTECTED])
by condor.int.spiegl.de (8.13.8/8.13.8/Submit) id l3OIlTTk032647;
Tue, 24 Apr 2007 20:47:29 +0200
My internal mailserver (condor.int.spiegl.de, 87.152.143.202) delivered the
mail via SMTP AUTH to the mailserver of my provider, and then a bit later I
fetched the mail from the popserver and ran SpamAssassin.
If Botnet checks whether the providers mailserver is an MX of spiegl.de,
that's the case:
spiegl.de mail is handled by 10 mx1.spiegl.de. (82.165.28.56)
spiegl.de mail is handled by 10 mx2.spiegl.de. (80.237.158.92)
spiegl.de mail is handled by 10 mx3.spiegl.de. (80.237.206.21)
spiegl.de mail is handled by 10 mx4.spiegl.de. (80.237.184.21)
sienna.XXXX.de has address 80.237.184.21 (-> mx4.spiegl.de)
What else could be wrong?
Assuming that the sender address on this message was
(something)@spiegl.de , then in order to get the BOTNET_SOHO code to
trigger, either:
a) spiegl.de has 1-5 A records, and one of them resolves to the
submitting relay (87.152.143.202).
b) spiegl.de has 1-5 MX records, and one of them has 1-5 A records, one
of which resolves to the submitting relay (87.152.143.202).
Neither of these conditions is true: the lone A record for spiegl.de
resolves to 80.237.211.99; and you showed the MX records for spiegl.de
already and they don't point back to the submitting relay either.
Therefore, the IP address submitting the message doesn't appear to be
the soho mail relay for spiegl.de (according to the code used by BOTNET
for detecting soho mail relays).
So, you aren't getting the soho exemption.
