On Thu, 5 Nov 2009 19:39:10 -0600 Jonathan Nichols <jnich...@pbp.net> wrote:
> This might be very simple, but Botnet keeps triggering on a local > school district. I THOUGHT that I added it to the pass_domains list > correctly. I'm not 100% sure, but I think the issue is that it hits BOTNET because mail.nisdtx.org has no reverse DNS, and BOTNET uses reverse DNS for checking pass_domains. The mail.nisdtx.org in the headers is just a helo, so there's no real evidence for nisdtx.org anywhere in the headers. The plugin could do its own A-record lookup on mail.nisdtx.org and verify it against the IP address, but I guess it doesn't. I suppose you'll have to use the IP address instead. You might also consider using the SOHO exclusion, which I think might have eliminated this FP. i.e. replace the BOTNET definition with meta BOTNET ( ! BOTNET_SOHO && (BOTNET_CLIENT || BOTNET_BADDNS || BOTNET_NORDNS) )
