I keep saying that I have false positives with botnet, but haven't substantiated that to date. So, today I'm spending a little time making exceptions since I would like this to work. Here are todays:
Americanpayroll.org, sent from IP 67.106.104.135, resolves to
67.106.106.135.ptr.us.xo.net #OK, that's just stupid.
Enews.webbuyersguide.com (part of Ziff-Davis Media), sent from IP
204.92.135.90, resolves to smtp22.enews.webbuyersguide.com #not sure why
this got a BOTNET=1 flag, but it did. Also find hosts 92, 75, 70, 74, 93,
86, and others. All similarly resolve to smtpnn.enews.webbuyersguide.com.
meridiencancun.com.mx, sent from IP , resolves to
customer-148-233-9-212.uninet-ide.com.mx #more stupidity
Wordreference.com (WordReference Forums), sent from IP 75.126.51.99,
resolves to www2mail.wordreference.com, again no idea why it gets flagged.
Cityofpasadena.net (City of Pasadena, California), sent from IP 204.89.9.11,
resolves to 204-89-9-11-cityofpasadena.net, ns3.pasadenapubliclibrary.com,
and ns3.cityofpasadena.net. What's with all this putting of IP addresses in
the host name...
AltoEdge Hardware, sent from IP 69.94.122.246, resolves to
server.nch.com.au, another no idea why BOTNET=1, but it does. Just out of
curiosity, I ran this through again with debug enabled so I could get more
details. Here's what it says:
[2472] dbg: Botnet: starting
[2472] dbg: Botnet: no trusted relays
[2472] dbg: Botnet: get_relay didn't find RDNS
[2472] dbg: Botnet: IP is '69.94.122.246'
[2472] dbg: Botnet: RDNS is 'server.nch.com.au'
[2472] dbg: Botnet: HELO is 'server.nch.com.au'
[2472] dbg: Botnet: sender '[EMAIL PROTECTED]'
[2472] dbg: Botnet: hit (baddns)
[2472] dbg: rules: ran eval rule BOTNET ======> got hit (1)
I'm not sure what it means. The IP resolves to server.nch.com.au and it
resolves to the IP. Not sure what is "bad" about dns here. I'm also not sure
what headers botnet looks at. The top Received header is ours and the others
are all internal to the sender.
Return-Path: <[EMAIL PROTECTED]>
Received: from [69.94.122.246] (HELO server.nch.com.au)
by mail.wcg.org (CommuniGate Pro SMTP 5.1.11)
with ESMTPS id 22264274 for [EMAIL PROTECTED]; Tue, 21 Aug 2007 09:58:14 -0700
Received: from server.nch.com.au (localhost.localdomain [127.0.0.1])
by server.nch.com.au (8.12.11/8.12.11) with ESMTP id l7LHRYOp002918
for <[EMAIL PROTECTED]>; Tue, 21 Aug 2007 13:27:34 -0400
Received: (from [EMAIL PROTECTED])
by server.nch.com.au (8.12.11/8.12.11/Submit) id l7LHRXY5001737;
Tue, 21 Aug 2007 13:27:33 -0400
Date: Tue, 21 Aug 2007 13:27:33 -0400
Message-Id: <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
From: "AltoEdge Hardware Orders" <[EMAIL PROTECTED]>
Subject: Online Hardware Order (ref: HW13315)
Enough time spent today... More at a later date. I've had actual complaints
about 2 of the exceptions listed above, and as you might surmise from above,
I only run with the score set to 1. I'd like it higher, but there are tons
more of these that I have to make exceptions for before I can do that. It's
a good idea-- too bad there isn't a way to make it somewhat more accurate.
Bret
smime.p7s
Description: S/MIME cryptographic signature
