Andy Spiegl wrote:
John Rudd wrote:
b) spiegl.de has 1-5 MX records, and one of them has 1-5 A records, one
of which resolves to the submitting relay (87.152.143.202).
Hm, but why would I want to put this dynamic IP into the list of MXs?
The soho mailserver doesn't accept mails from outside.
Part of the operating definition of "soho mail server" that I am using
for botnet is: if your operation is so small that you're forced to use a
dynamic IP address for your email server, then you're probably also so
small that you're using one server for inbound and outbound traffic. To
qualify as a "small office/home office mail server", for botnet's
purpose, you basically have to be using the same mail servers for
inbound and outbound traffic.
Shouldn't the BOTNET_SOHO look at the Received:-line of the provider's
mailserver?
It looks at received lines (after spam assassin has finished parsing
them), but which one it looks at depends upon your settings.
Received: from condor.int.spiegl.de (p57988fca.dip.t-dialin.net
[87.152.143.202])
by sienna.XXXX.de via kasmail (3.1)
id <1IgQ30-4tK-1-sienna>; Tue, 24 Apr 2007 18:47:30 GMT
As sienna.XXXX.de is one of the MXs for spiegl.de that should be enough to
legitimate mails from there, no?
Or asked differently: how does the BOTNET code figure out which one is the
"submitting relay" and why does it choose the wrong one? :-)
It chooses based upon:
1) your trusted networks
2) the settings in your Botnet.cf file.
So, if it's choosing the wrong one, then it's doing so because you gave
it the wrong settings.
