On Mon, 8 May 2017, Chris wrote:
I get various posts from US-CERT none so far have been tagged as spam
until today. The raw message with the SA tags is here - https://pastebi
n.com/f71A2FfW What it hit on was:
pts rule name description
---- ---------------------- -----------------------------------------
5.0 BOTNET Relay might be a spambot or virusbot
[botnet0.8,ip=208.42.190.173,maildomain=ncas.us-
cert.gov,nordns]
That's a bit worrying.
...but that looks like a local rule, I can't find "BOTNET" by itself as a
rule in SVN. Is it local? How is it defined?
-0.0 SPF_PASS SPF: sender matches SPF record
That's useful.
0.0 T_DKIM_INVALID DKIM-Signature header exists but is not
valid
That's a bit worrying, too.
I've added the address us-c...@ncas.us-cert.gov to the AWL and reran
the message through SA which helped
I'd suggest whitelist_from_auth might help more.
How did ncas.us-cert.gov get classified as a botnet host?
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
How do you argue with people to whom math is an opinion? -- Unknown
-----------------------------------------------------------------------
Today: the 72nd anniversary of VE day
