Re: US-CERT message FP

Mon, 08 May 2017 16:45:06 -0700 

On Mon, 8 May 2017, John Hardin wrote:


On Mon, 8 May 2017, Chris wrote:


I get various posts from US-CERT none so far have been tagged as spam
until today. The raw message with the SA tags is here - https://pastebi
n.com/f71A2FfW What it hit on was:

pts rule name              description
---- ---------------------- -----------------------------------------
 5.0 BOTNET                 Relay might be a spambot or virusbot
              [botnet0.8,ip=208.42.190.173,maildomain=ncas.us-
cert.gov,nordns]


That's a bit worrying.
...but that looks like a local rule, I can't find "BOTNET" by itself as a rule in SVN. Is it local? How is it defined? 


[snip..]


How did ncas.us-cert.gov get classified as a botnet host?
"Botnet" is a SA plugin that was written several years ago by John Rudd which tries to look for spammyness clues derived from the DNS/hostname of the first untrusted relay. From the source code comments: 

# Botnet - perform DNS validations on the first untrusted relay
#    looking for signs of a Botnet infected host, such as no reverse
#    DNS,  a hostname that would indicate an ISP client or domain
#    workstation, or other hosts that aren't intended to be acting as
#    a direct mail submitter outside of their own domain.
One of its heurisitcs is to look for signs of the IP address embedded in the hostname (EG looking for things like "client-201.240.187.107.speedy.net.pe") 
as a sign of an infected PC doing direct mail delivery.
This fired on the host name of that site: mailer190173.service.govdelivery.com because part of its IP address [208.42.190.173] was found in the name.
Years ago I dropped the default Botnet score (5.0) way down because of FPs like this. 

I'd be concerned with what caused the DKIM signature to fail validation.
(DKIM_SIGNED, T_DKIM_INVALID).
If something in the mail chain is breaking DKIM validation then attempts to use things like whitelist_auth are doomed to failure. 


--
Dave Funk                                  University of Iowa
<dbfunk (at) engineering.uiowa.edu>        College of Engineering
319/335-5751   FAX: 319/384-0549           1256 Seamans Center
Sys_admin/Postmaster/cell_admin            Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{

Reply via email to