On Mon, 8 May 2017, John Hardin wrote:
On Mon, 8 May 2017, Chris wrote:
I get various posts from US-CERT none so far have been tagged as spam
until today. The raw message with the SA tags is here - https://pastebi
n.com/f71A2FfW What it hit on was:
pts rule name description
---- ---------------------- -----------------------------------------
5.0 BOTNET Relay might be a spambot or virusbot
[botnet0.8,ip=208.42.190.173,maildomain=ncas.us-
cert.gov,nordns]
That's a bit worrying.
...but that looks like a local rule, I can't find "BOTNET" by itself as a
rule in SVN. Is it local? How is it defined?
[snip..]
How did ncas.us-cert.gov get classified as a botnet host?
"Botnet" is a SA plugin that was written several years ago by John Rudd which
tries to look for spammyness clues derived from the DNS/hostname of the
first untrusted relay. From the source code comments:
# Botnet - perform DNS validations on the first untrusted relay
# looking for signs of a Botnet infected host, such as no reverse
# DNS, a hostname that would indicate an ISP client or domain
# workstation, or other hosts that aren't intended to be acting as
# a direct mail submitter outside of their own domain.
One of its heurisitcs is to look for signs of the IP address embedded in the
hostname (EG looking for things like "client-201.240.187.107.speedy.net.pe")
as a sign of an infected PC doing direct mail delivery.
This fired on the host name of that site: mailer190173.service.govdelivery.com
because part of its IP address [208.42.190.173] was found in the name.
Years ago I dropped the default Botnet score (5.0) way down because of FPs like
this.
I'd be concerned with what caused the DKIM signature to fail validation.
(DKIM_SIGNED, T_DKIM_INVALID).
If something in the mail chain is breaking DKIM validation then attempts to use
things like whitelist_auth are doomed to failure.
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{