Bret Miller wrote:
Enews.webbuyersguide.com (part of Ziff-Davis Media), sent from IP
204.92.135.90, resolves to smtp22.enews.webbuyersguide.com #not sure why
this got a BOTNET=1 flag, but it did. Also find hosts 92, 75, 70, 74, 93,
86, and others. All similarly resolve to smtpnn.enews.webbuyersguide.com.
baddns. baddns means lack of full circle DNS. In this case, the name
returned by the PTR record (smtp22.enews.webbuyersguide.com) does not
resolve at all ... let alone not resolving back to the sending IP address.
meridiencancun.com.mx, sent from IP , resolves to
customer-148-233-9-212.uninet-ide.com.mx #more stupidity
Wordreference.com (WordReference Forums), sent from IP 75.126.51.99,
resolves to www2mail.wordreference.com, again no idea why it gets flagged.
# nslookup www2mail.wordreference.com
Non-authoritative answer:
Name: www2mail.wordreference.com
Address: 75.126.29.11
baddns.
AltoEdge Hardware, sent from IP 69.94.122.246, resolves to
server.nch.com.au, another no idea why BOTNET=1, but it does. Just out of
curiosity, I ran this through again with debug enabled so I could get more
details. Here's what it says:
[2472] dbg: Botnet: starting
[2472] dbg: Botnet: no trusted relays
[2472] dbg: Botnet: get_relay didn't find RDNS
[2472] dbg: Botnet: IP is '69.94.122.246'
[2472] dbg: Botnet: RDNS is 'server.nch.com.au'
[2472] dbg: Botnet: HELO is 'server.nch.com.au'
[2472] dbg: Botnet: sender '[EMAIL PROTECTED]'
[2472] dbg: Botnet: hit (baddns)
[2472] dbg: rules: ran eval rule BOTNET ======> got hit (1)
I'm not sure what it means. The IP resolves to server.nch.com.au and it
resolves to the IP. Not sure what is "bad" about dns here. I'm also not sure
what headers botnet looks at. The top Received header is ours and the others
are all internal to the sender.
# nslookup server.nch.com.au
Non-authoritative answer:
Name: server.nch.com.au
Address: 69.94.122.247
So, server.nch.com.au's name does not resolve back to the sending IP
address, thus baddns.
