>From: John Hardin <jhar...@impsec.org> >On Mon, 8 May 2017, Chris wrote:
>> I get various posts from US-CERT none so far have been tagged as spam >> until today. The raw message with the SA tags is here - https://pastebi >> n.com/f71A2FfW What it hit on was: >> >> pts rule name description >> ---- ---------------------- ----------------------------------------- >> 5.0 BOTNET Relay might be a spambot or virusbot >> [botnet0.8,ip=208.42.190.173,maildomain=ncas.us- >> cert.gov,nordns] >That's a bit worrying. Checking my mail filters, I see this IP hitting: -3.20 RCVD_IN_MSPIKE_H4 Very Good reputation (+4) >> 0.0 T_DKIM_INVALID DKIM-Signature header exists but is not >> valid >That's a bit worrying, too. Looking at my mail filters I am seeing DMARC pass basically from good SPF alignment: Authentication-Results: smtp.ena.net; dmarc=none (p=none dis=none) header.from=ncas.us-cert.gov Authentication-Results: smtp.ena.net; spf=pass smtp.mailfrom=messa...@ncas.us-cert.gov They need to get their DKIM fixed if it is invalid. I can't tell for sure since I already have it shortcircuit'd so the DKIM rules did not get evaluated. >> I've added the address us-c...@ncas.us-cert.gov to the AWL and reran >> the message through SA which helped >I'd suggest whitelist_auth might help more. >How did ncas.us-cert.gov get classified as a botnet host? It that rule from the very old plugin on this page (search Botnet)? https://wiki.apache.org/spamassassin/CustomPlugins I found those rules to cause too many FPs just like this case. Dave