>From: John Hardin <jhar...@impsec.org>
    
>On Mon, 8 May 2017, Chris wrote:

>> I get various posts from US-CERT none so far have been tagged as spam
>> until today. The raw message with the SA tags is here - https://pastebi
>> n.com/f71A2FfW What it hit on was:
>>
>> pts rule name              description
>> ---- ---------------------- -----------------------------------------
>>  5.0 BOTNET                 Relay might be a spambot or virusbot
>>               [botnet0.8,ip=208.42.190.173,maildomain=ncas.us-
>> cert.gov,nordns]

>That's a bit worrying.

Checking my mail filters, I see this IP hitting:

-3.20   RCVD_IN_MSPIKE_H4       Very Good reputation (+4)

>>  0.0 T_DKIM_INVALID         DKIM-Signature header exists but is not
>> valid

>That's a bit worrying, too.

Looking at my mail filters I am seeing DMARC pass basically
from good SPF alignment:

Authentication-Results: smtp.ena.net; dmarc=none (p=none dis=none) 
header.from=ncas.us-cert.gov
Authentication-Results: smtp.ena.net; spf=pass 
smtp.mailfrom=messa...@ncas.us-cert.gov

They need to get their DKIM fixed if it is invalid.  I can't tell for sure since
I already have it shortcircuit'd so the DKIM rules did not get evaluated.

>> I've added the address us-c...@ncas.us-cert.gov to the AWL and reran
>> the message through SA which helped

>I'd suggest whitelist_auth might help more.

>How did ncas.us-cert.gov get classified as a botnet host?

It that rule from the very old plugin on this page (search Botnet)?

https://wiki.apache.org/spamassassin/CustomPlugins

I found those rules to cause too many FPs just like this case.

Dave

Reply via email to