Hi Yves, On Wed, Jun 29, 2011 at 09:03:52PM +0200, Yves Goergen wrote: > I was looking for an IPv6 fix for Botnet before but nobody (including > me) was able to do it. I have now looked at your solution and to my > Perl-unexperienced eyes, it looks promising. > > I have installed it on my server and am now waiting for E-Mails from > IPv6 hosts. Could somebody please just send me a message from an IPv6 > mail server to my address? (Preferably from a host that should not be > caught by Botnet...)
I've just sent you a test mail. That mail server has got correct reverse DNS, and doesn't trigger BOTNET on my home mail server (sent over IPv6) with my patch. > Is this fix supposed to avoid IPv6 false positives only, or also to do > its job in detecting IPv6 bots correctly? The intention was to fix the false positives, although it doesn't disable BOTNET entirely for IPv6. For instance, it will still check to see if the address has got a reverse DNS entry (and fail if it has not), but it can't easily check for the IP address in the PTR record like can be done for IPv4 (e.g. host.143-210-16-36.le.ac.uk might be picked up by BOTNET for a v4 address). I basically extended it the minimum I could to fix the IPv6 breakage, while only removing the minimum amount of functionality that was easily possible. I just briefly checked through the logs here for IPv6 incoming mail. BOTNET fired on only one or two so far today, and they were ones without PTR entries. On Wed, Jun 29, 2011 at 09:59:52PM +0200, Yves Goergen wrote: > > Received: from sp***ck.di***ie.com ([2001:***::40]) > > by do***rd.de with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) > > (Exim 4.71) > > (envelope-from <L***e@Di***ie.com>) > > id 1Qc0UA-0001R3-DT > > for nospam.list@un***ed.de; Wed, 29 Jun 2011 21:31:44 +0200 > > > X-Spam-Report: Content analysis details: > > 0.2 BOTNET Relay might be a spambot or virusbot > > > > [botnet0.8,ip=2**.1**.2**.7*,maildomain=Di***ie.com,nordns] > > Doesn't seem to work. It's a false positive again. And Botnet recognises > the incoming IPv6 address as some IPv4 address and reports that one. That doesn't look right - unless your munging has really messed it up. BOTNET seemed to check an IPv4 address there: "2**.1**.2**.7*" Do a dig -x against that IPv4 address, and the 2001:***::40 address, and see if both have correct PTRs. However, there could be a problem if it's picked up a v4 address to test, when the mail actually came to you from a v6 address. I'm no expert in SA/BOTNET here, but at a guess, maybe your list of trusted hosts is wrong? Cheers, Matthew -- Matthew Newton, Ph.D. <m...@le.ac.uk> Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ith...@le.ac.uk>
