Re: Hmm - a server I manage is triggering Botnet
On Sat, 27 Jan 2007 20:33:41 -0800 John Rudd <[EMAIL PROTECTED]> wrote: > % host 209.18.107.89 > 89.107.18.209.in-addr.arpa domain name pointer > ptr-20989.fastconcepts.net. > > % host ptr-20989.fastconcepts.net > Host ptr-20989.fastconcepts.net not found: 3(NXDOMAIN) John, my rDNS is now setup to not have multiple octets - I'm still getting hit by Botnet though from any sender on this server: Content preview: test [...] Content analysis details: (5.5 points, 5.0 required) pts rule name description -- -- 0.0 DK_POLICY_SIGNSOME Domain Keys: policy says domain signs some mails 5.0 BOTNET Relay might be a spambot or virusbot [botnet0.7,ip=209.18.107.89,hostname=netbits.us,maildomain=netbits.us,baddns] 0.5 DATE_IN_PAST_03_06 Date: is 3 to 6 hours before Received: date 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% [score: 0.4678] Any thoughts? Thanks, Josh
Re: Hmm - a server I manage is triggering Botnet
On Sat, 27 Jan 2007 20:33:41 -0800 John Rudd <[EMAIL PROTECTED]> wrote: > Josh Trutwin wrote: > > On Sat, 27 Jan 2007 17:08:44 -0800 > > John Rudd <[EMAIL PROTECTED]> wrote: > > > >> Thomas Bolioli wrote: > >>> > >>> Yeah, this is the problem with the Botnet ruleset. I had to stop > >>> using it. It assumes that one IP, one domain with regards to > >>> mail. If your mail server handles multiple domains, whichever > >>> domain the rDNS points to will be fine. Any others will fire > >>> off. > >> That's not even close to true (the assumptions nor the results). > >> > >> If rDNS and DNS are properly set up for the machine, then it wont > >> matter what virtual domains are hosted on the system. As long as > >> the rDNS leads back to a valid DNS record, which leads back to > >> the same IP, it wont matter if that rDNS machines that mail > >> domain, a different mail domain, or no mail domain at all. > > > > Hmm - in my case my rDNS setup seems ok though except for the fact > > that 2 octets are in my ptr record which I'll be fixing tonight. > > But that's not the rule I was tripping. Here's another example > > from a test email sent from one of my virtual domains netbits.us: > > > > 5.0 BOTNET Relay might be a spambot or virusbot > > > > [botnet0.7,ip=209.18.107.89,hostname=netbits.us,maildomain=netbits.us,baddns] > > > > > > > >> If you think there is a case where Botnet breaks down for > >> multiple/virtual mail domains, where DNS and rDNS are properly > >> set up, put your money where your mouth is and give a real world > >> example. Give the IP address(es), and the mail domains that go > >> with them that you think will have a problem. > > > > Personally, I like Botnet, but it does seem like I have a real > > world example where my rDNS is setup fine. Unless I missed > > something? > > > > % host 209.18.107.89 > 89.107.18.209.in-addr.arpa domain name pointer > ptr-20989.fastconcepts.net. > > % host ptr-20989.fastconcepts.net > Host ptr-20989.fastconcepts.net not found: 3(NXDOMAIN) > > > That would seem to me to indicate that "baddns" is valid. It may > be that from some angles/locations/servers, the forward DNS for > fastconcepts.net isn't working properly. Or at least not for > ptr-20989.fastconcepts.net. > > (and, I think ipshostname isn't triggering for it because in 0.7 it > only looks at consecutive octets) John, My ISP didn't do my rDNS change so it's back to the way it was when I originally posted this thread. Does it still look wrong? # host 209.18.107.89 89.107.18.209.in-addr.arpa domain name pointer ptr-20989.fastconcepts.net. # host ptr-20989.fastconcepts.net ptr-20989.fastconcepts.net has address 209.18.107. Josh
Re: Hmm - a server I manage is triggering Botnet
John Rudd wrote: If you think there is a case where Botnet breaks down for multiple/virtual mail domains, where DNS and rDNS are properly set up, put your money where your mouth is and give a real world example. Give the IP address(es), and the mail domains that go with them that you think will have a problem. I have, to this list and you never responded... See below. Alumni connections is a forwarder service. uptilt is sending email for nashbar.com Message-ID: <[EMAIL PROTECTED]> Date: Sun, 31 Dec 2006 09:29:46 -0500 From: Thomas Bolioli <[EMAIL PROTECTED]> User-Agent: Thunderbird 2.0b1 (Macintosh/20061206) MIME-Version: 1.0 To: Spamassassin Users List Subject: Re: Botnet 0.7 Plugin is available References: <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> In-Reply-To: <[EMAIL PROTECTED]> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit See below for content. I forgot to send this to the list. John Rudd wrote: Thomas Bolioli wrote: It seems to have an issue with mail sent through forwarders like alumni accounts and one mail type systems. I am sending you a note off line with the details. No... it doesn't look that way at all. If you read the spam report headers, it clearly states what the problem is with _BOTH_ of the messages you sent me: * 0.1 BOTNET_BADDNS Relay doesn't have full circle DNS BOTNET is triggering because the relay which is submitting the message to you doesn't have full circle DNS (the hostname returned by the PTR lookup doesn't resolve back to the IP address that is submitting the message). It's not because BOTNET has a problem with mail forwarding services (not indicated at all by the first message you sent me), nor is it because it's a server initiated message (the second message; the presence of BOTNET_SERVERWORDS should have scored -0.1, and would have served to prevent BOTNET_CLIENT from triggering ... which it did: BOTNET_CLIENT doesn't show up in that message's spam report). In that regard, neither of these is a false positive. BOTNET is told to flag messages that have "Bad DNS" configurations, and these two mail relays have bad dns configurations, so BOTNET flagged them. I can't tell you if the messages themselves were spam or not... the 2nd one definitely looks like spam to me, but the sender/recipient/subject of the first one doesn't look like spam. If you say that they're ham, then I would give you a few courses of action: 1) add the domain name in a "botnet_pass_domains" entry in Botnet.cf: For the first message: * [botnet_baddns,ip=198.212.10.108,rdns=permemail05.alumniconnections.com] becomes: botnet_pass_domains alumniconnections\.com For the second message: * [botnet_baddns,ip=208.66.204.41,rdns=mail31.uptilt.com] becomes: botnet_pass_domains uptilt\.com 2) for the second message, either do something like the above, or add the IP address, in the botnet report, to Botnet.cf as a botnet_pass_ip: For the first message: * [botnet_baddns,ip=198.212.10.108,rdns=permemail05.alumniconnections.com] becomes: botnet_pass_ip ^198\.212\.10\.108$ For the second message: * [botnet_baddns,ip=208.66.204.41,rdns=mail31.uptilt.com] becomes: botnet_pass_ip ^208\.66\.204\.41$ 3) send email to abuse@ hostmaster@ and postmaster@ each of the domains, showing them the headers of the message they sent you, including the spam report headers, and informing them that their DNS misconfigurations make their mail servers appear to be potential spam sources, and that they should fix this by having the hostnames returned by any of their PTR records actually resolve back to the IP address that the PTR record is attached to. IMO: the 3rd one is the thing that should happen (the mail servers should have their DNS configurations fixed). I'll think about adding alumniconnections.com to the centrally distributed Botnet.cf. But, given the content of the message from uptilt.com, I really don't think I'd add them to the centrally distributed Botnet.cf. I agree that the third should happen but I am a little confused. Why are these failing rdns lookups? I do the lookups and I get this: Sailfish:~ tbolioli$ host permemail05.alumniconnections.com permemail05.alumniconnections.com has address 198.212.10.108 Sailfish:~ tbolioli$ host 198.212.10.108 108.10.212.198.in-addr.arpa domain name pointer permemail05.alumniconnections.com. Sailfish:~ tbolioli$ host mail31.uptilt.com mail31.uptilt.com has address 208.66.204.41 Sailfish:~ tbolioli$ host 208.66.204.41 41.204.66.208.in-addr.arpa domain name pointer mail31.uptilt.com. Sailfish:~ tbolioli$ host 208.66.204.40 Is there something I am missing or that I am doing wrong in my lookups? I want to get these entities to change but I am not sure what to tell them to do. Thanks, Tom
Re: Hmm - a server I manage is triggering Botnet
On Sat, 27 Jan 2007 20:33:41 -0800 John Rudd <[EMAIL PROTECTED]> wrote: > > Personally, I like Botnet, but it does seem like I have a real > > world example where my rDNS is setup fine. Unless I missed > > something? > > > > % host 209.18.107.89 > 89.107.18.209.in-addr.arpa domain name pointer > ptr-20989.fastconcepts.net. > > % host ptr-20989.fastconcepts.net > Host ptr-20989.fastconcepts.net not found: 3(NXDOMAIN) I just made the DNS change for multiple octets, but my ISP hasn't fixed the delegation, I need to send this to them. The reverse should've returned: ptr-89.fastconcepts.net Hopefully it will tomorrow. > That would seem to me to indicate that "baddns" is valid. It may > be that from some angles/locations/servers, the forward DNS for > fastconcepts.net isn't working properly. Or at least not for > ptr-20989.fastconcepts.net. I just screwed this up - bad timing, let's try this again tomorrow. > (and, I think ipshostname isn't triggering for it because in 0.7 it > only looks at consecutive octets) But it will in 0.8? Josh
Re: Hmm - a server I manage is triggering Botnet
Josh Trutwin wrote: On Sat, 27 Jan 2007 17:08:44 -0800 John Rudd <[EMAIL PROTECTED]> wrote: Thomas Bolioli wrote: Yeah, this is the problem with the Botnet ruleset. I had to stop using it. It assumes that one IP, one domain with regards to mail. If your mail server handles multiple domains, whichever domain the rDNS points to will be fine. Any others will fire off. That's not even close to true (the assumptions nor the results). If rDNS and DNS are properly set up for the machine, then it wont matter what virtual domains are hosted on the system. As long as the rDNS leads back to a valid DNS record, which leads back to the same IP, it wont matter if that rDNS machines that mail domain, a different mail domain, or no mail domain at all. Hmm - in my case my rDNS setup seems ok though except for the fact that 2 octets are in my ptr record which I'll be fixing tonight. But that's not the rule I was tripping. Here's another example from a test email sent from one of my virtual domains netbits.us: 5.0 BOTNET Relay might be a spambot or virusbot [botnet0.7,ip=209.18.107.89,hostname=netbits.us,maildomain=netbits.us,baddns] If you think there is a case where Botnet breaks down for multiple/virtual mail domains, where DNS and rDNS are properly set up, put your money where your mouth is and give a real world example. Give the IP address(es), and the mail domains that go with them that you think will have a problem. Personally, I like Botnet, but it does seem like I have a real world example where my rDNS is setup fine. Unless I missed something? % host 209.18.107.89 89.107.18.209.in-addr.arpa domain name pointer ptr-20989.fastconcepts.net. % host ptr-20989.fastconcepts.net Host ptr-20989.fastconcepts.net not found: 3(NXDOMAIN) That would seem to me to indicate that "baddns" is valid. It may be that from some angles/locations/servers, the forward DNS for fastconcepts.net isn't working properly. Or at least not for ptr-20989.fastconcepts.net. (and, I think ipshostname isn't triggering for it because in 0.7 it only looks at consecutive octets)
Re: Hmm - a server I manage is triggering Botnet
On Sat, 27 Jan 2007 17:08:44 -0800 John Rudd <[EMAIL PROTECTED]> wrote: > Thomas Bolioli wrote: > > > > Yeah, this is the problem with the Botnet ruleset. I had to stop > > using it. It assumes that one IP, one domain with regards to > > mail. If your mail server handles multiple domains, whichever > > domain the rDNS points to will be fine. Any others will fire off. > > That's not even close to true (the assumptions nor the results). > > If rDNS and DNS are properly set up for the machine, then it wont > matter what virtual domains are hosted on the system. As long as > the rDNS leads back to a valid DNS record, which leads back to the > same IP, it wont matter if that rDNS machines that mail domain, a > different mail domain, or no mail domain at all. Hmm - in my case my rDNS setup seems ok though except for the fact that 2 octets are in my ptr record which I'll be fixing tonight. But that's not the rule I was tripping. Here's another example from a test email sent from one of my virtual domains netbits.us: 5.0 BOTNET Relay might be a spambot or virusbot [botnet0.7,ip=209.18.107.89,hostname=netbits.us,maildomain=netbits.us,baddns] > If you think there is a case where Botnet breaks down for > multiple/virtual mail domains, where DNS and rDNS are properly set > up, put your money where your mouth is and give a real world > example. Give the IP address(es), and the mail domains that go > with them that you think will have a problem. Personally, I like Botnet, but it does seem like I have a real world example where my rDNS is setup fine. Unless I missed something? Thx, Josh
Re: Hmm - a server I manage is triggering Botnet
Thomas Bolioli wrote: Yeah, this is the problem with the Botnet ruleset. I had to stop using it. It assumes that one IP, one domain with regards to mail. If your mail server handles multiple domains, whichever domain the rDNS points to will be fine. Any others will fire off. That's not even close to true (the assumptions nor the results). If rDNS and DNS are properly set up for the machine, then it wont matter what virtual domains are hosted on the system. As long as the rDNS leads back to a valid DNS record, which leads back to the same IP, it wont matter if that rDNS machines that mail domain, a different mail domain, or no mail domain at all. The only case in which Botnet cares about mail domains (virtual or otherwise) is when trying to make an automatic exception. And even then, the result you describe isn't what happens. There is no case in which valid DNS and rDNS has been set up that multiple domains or virtual mail domains is a problem for Botnet. If you think there is a case where Botnet breaks down for multiple/virtual mail domains, where DNS and rDNS are properly set up, put your money where your mouth is and give a real world example. Give the IP address(es), and the mail domains that go with them that you think will have a problem. If you want to stop the bot net mails heading into your inbox, make sure your RBL lookups are working. Those are much better than the botnet plugin. Except of course that there aren't any public/free RBLs that are comprehensive enough to make your statement have even a small amount of value. Which is part of the reason Botnet was created.
Re: Hmm - a server I manage is triggering Botnet
Josh Trutwin wrote: On Fri, 26 Jan 2007 16:43:17 -0800 John Rudd <[EMAIL PROTECTED]> wrote: X-Envelope-From: [EMAIL PROTECTED] Received: from netbits.us ([209.18.107.89]) by 0 ([192.168.0.3]) with SMTP via SSL; 25 Jan 2007 23:47:53 - That would seem to be your problem. I bet SA thinks that means the machine has no reverse DNS. And netbits.us has a completely different IP address than that. SA or Botnet? SA. SA is the one that interprets the headers. Botnet reads the interpreted headers. This is only scoring a 5.1 though - I posted the SA report in a previous message, my only bad hit is from Botnet: Content analysis details: (5.1 points, 5.0 required) 0.0 DK_POLICY_SIGNSOME Domain Keys: policy says domain signs some mails 5.0 BOTNET Relay might be a spambot or virusbot [botnet0.7,ip=209.18.107.89,hostname=netbits.us,maildomain=davidtrutwin.com,baddns] 1.5 RCVD_NUMERIC_HELO Received: contains an IP address used for HELO -0.2 BAYES_40 BODY: Bayesian spam probability is 20 to 40% [score: 0.3696] -1.2 AWLAWL: From: address is in the auto white-list I'm curious to see if changing the PTR records will help. Josh Yeah, this is the problem with the Botnet ruleset. I had to stop using it. It assumes that one IP, one domain with regards to mail. If your mail server handles multiple domains, whichever domain the rDNS points to will be fine. Any others will fire off. There is an exception list built into the plugin but I am philosophically opposed to manually managing lists like that on a per machine basis. If you want to stop the bot net mails heading into your inbox, make sure your RBL lookups are working. Those are much better than the botnet plugin.
Re: Hmm - a server I manage is triggering Botnet
On Fri, 26 Jan 2007 16:43:17 -0800 John Rudd <[EMAIL PROTECTED]> wrote: > >>> X-Envelope-From: [EMAIL PROTECTED] > >>> Received: from netbits.us ([209.18.107.89]) > >>> by 0 ([192.168.0.3]) > >>> with SMTP via SSL; 25 Jan 2007 23:47:53 - > >> > >> That would seem to be your problem. I bet SA thinks that means > >> the machine has no reverse DNS. And netbits.us has a completely > >> different IP address than that. > > > > SA or Botnet? > > SA. SA is the one that interprets the headers. Botnet reads the > interpreted headers. This is only scoring a 5.1 though - I posted the SA report in a previous message, my only bad hit is from Botnet: Content analysis details: (5.1 points, 5.0 required) 0.0 DK_POLICY_SIGNSOME Domain Keys: policy says domain signs some mails 5.0 BOTNET Relay might be a spambot or virusbot [botnet0.7,ip=209.18.107.89,hostname=netbits.us,maildomain=davidtrutwin.com,baddns] 1.5 RCVD_NUMERIC_HELO Received: contains an IP address used for HELO -0.2 BAYES_40 BODY: Bayesian spam probability is 20 to 40% [score: 0.3696] -1.2 AWLAWL: From: address is in the auto white-list I'm curious to see if changing the PTR records will help. Josh
Re: Hmm - a server I manage is triggering Botnet
Josh Trutwin wrote: On Fri, 26 Jan 2007 14:53:19 -0800 John Rudd <[EMAIL PROTECTED]> wrote: Josh Trutwin wrote: On Fri, 26 Jan 2007 14:57:57 -0500 "Dan Barker" <[EMAIL PROTECTED]> wrote: Can you provide more of the headers? Sure - here's the complete set: X-Envelope-From: [EMAIL PROTECTED] Received: from netbits.us ([209.18.107.89]) by 0 ([192.168.0.3]) with SMTP via SSL; 25 Jan 2007 23:47:53 - That would seem to be your problem. I bet SA thinks that means the machine has no reverse DNS. And netbits.us has a completely different IP address than that. SA or Botnet? SA. SA is the one that interprets the headers. Botnet reads the interpreted headers.
Re: Hmm - a server I manage is triggering Botnet
On Fri, 26 Jan 2007 14:53:19 -0800 John Rudd <[EMAIL PROTECTED]> wrote: > Josh Trutwin wrote: > > On Fri, 26 Jan 2007 14:57:57 -0500 > > "Dan Barker" <[EMAIL PROTECTED]> wrote: > > > >> Can you provide more of the headers? > > > > Sure - here's the complete set: > > > > X-Envelope-From: [EMAIL PROTECTED] > > Received: from netbits.us ([209.18.107.89]) > > by 0 ([192.168.0.3]) > > with SMTP via SSL; 25 Jan 2007 23:47:53 - > > > That would seem to be your problem. I bet SA thinks that means > the machine has no reverse DNS. And netbits.us has a completely > different IP address than that. SA or Botnet? I can't really win this reverse DNS battle it seems, I have about 20 IP's for 120 domains and as far as I can tell no way to tell my MTA to use the same one for the sender's IP. I would think that the fact that the full-circle DNS works would be enough. > Did you think about adding that IP address to any of the configs > in Botnet.cf? I can, yes, but what about other SA users that get mail from me and use Botnet? Thanks, Josh
Re: Hmm - a server I manage is triggering Botnet
Josh Trutwin wrote: On Fri, 26 Jan 2007 14:57:57 -0500 "Dan Barker" <[EMAIL PROTECTED]> wrote: Can you provide more of the headers? Sure - here's the complete set: X-Envelope-From: [EMAIL PROTECTED] Received: from netbits.us ([209.18.107.89]) by 0 ([192.168.0.3]) with SMTP via SSL; 25 Jan 2007 23:47:53 - That would seem to be your problem. I bet SA thinks that means the machine has no reverse DNS. And netbits.us has a completely different IP address than that. Did you think about adding that IP address to any of the configs in Botnet.cf?
Re: Hmm - a server I manage is triggering Botnet
On Fri, 26 Jan 2007 14:57:57 -0500 "Dan Barker" <[EMAIL PROTECTED]> wrote: > Can you provide more of the headers? Sure - here's the complete set: X-Envelope-From: [EMAIL PROTECTED] Received: from netbits.us ([209.18.107.89]) by 0 ([192.168.0.3]) with SMTP via SSL; 25 Jan 2007 23:47:53 - Received: (qmail 1330 invoked by uid 1033); 25 Jan 2007 23:39:43 - Received: from 204.214.24.199 by fastconcepts (envelope-from <[EMAIL PROTECTED]>, uid 0) with qmail-scanner-2.01st (clamdscan: 0.88.7/2484. spamassassin: 3.1.7. perlscan: 2.01st. Clear:RC:1(204.214.24.199):. Processed in 0.055125 secs); 25 Jan 2007 23:39:43 - Received: from 204.214.24.199 ([204.214.24.199]) by fastconcepts.com ([65.17.208.225]) with ESMTP via SSL; 25 Jan 2007 23:39:43 - Message-ID: <[EMAIL PROTECTED]> Date: Thu, 25 Jan 2007 17:47:36 -0600 From: David Trutwin <[EMAIL PROTECTED]> User-Agent: Thunderbird 1.5.0.9 (X11/20070103) MIME-Version: 1.0 To: Josh Trutwin <[EMAIL PROTECTED]> Subject: Re: thought you'd like this References: <[EMAIL PROTECTED]> In-Reply-To: <[EMAIL PROTECTED]> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Here's the SA report (sorry for crappy word wrap): Content analysis details: (5.1 points, 5.0 required) 0.0 DK_POLICY_SIGNSOME Domain Keys: policy says domain signs some mails 5.0 BOTNET Relay might be a spambot or virusbot [botnet0.7,ip=209.18.107.89,hostname=netbits.us,maildomain=davidtrutwin.com,baddns] 1.5 RCVD_NUMERIC_HELO Received: contains an IP address used for HELO -0.2 BAYES_40 BODY: Bayesian spam probability is 20 to 40% [score: 0.3696] -1.2 AWLAWL: From: address is in the auto white-list > You post from trutwins.homeip.net > Botnet complains about netbits.us and davidtrutwin.com > trutwins.homeip.net has no MX record > homeip.net MX isn't 209.18.107.89 > davidtrutwin.com MX isn't 209.18.107.89 > 209.18.107.89 says fastconcepts.com in it's HELO Yeah, I should've been more specific about my situation. The 209.18.107.89 is the sending server - my dad sent me an email, I have his email on the 209 box. trutwins.homeip.net is my home email server on dynamic DNS, I don't care so much about this as I'm the only one that uses it. davidtrutwin.com is on the other of the two small IP blocks I have for the sending server. # dnsmx davidtrutwin.com 0 mail.davidtrutwin.com # dnsip mail.davidtrutwin.com 65.17.208.225 # dnsname 65.17.208.225 netbits.us # dnsip netbits.us 65.17.208.225 I use qmail, and one of the things I've never truly understood is what IP address it picks from the IP block for the message header. On the 209.18.107.89 box I manage about 100 or so domains so if they are hitting botnet, I'm hoping I can figure out why and fix. Botnet's been a great for spam, but I don't want my clients to be false positives. :) > However, the DNS and PTR for 209.18.107.89 are fine. I guess they will trigger a different botnet rule, though I'll fix that (see John's reply). Thanks! Josh
Re: Hmm - a server I manage is triggering Botnet
On Fri, 26 Jan 2007 12:31:48 -0800 John Rudd <[EMAIL PROTECTED]> wrote: > Josh Trutwin wrote: > > I'm the admin for the IP below and got this on a different > > server I manage: > > > > 5.0 BOTNET Relay might be a spambot or virusbot > > [botnet0.7,ip=209.18.107.89,hostname=netbits.us,maildomain=davidtrutwin.com,baddns] > > > > I guess this is because of full-circle DNS, but I'm not sure > > how to correct the issue. I have this IP's reverse DNS setup > > like so: > > > > # dnsname 209.18.107.89 > > ptr-20989.fastconcepts.net > > # dnsip ptr-20989.fastconcepts.net > > 209.18.107.89 > > > > I thought this was correct for full-circle DNS? > > > > That is odd... I don't know why it's triggering "baddns" for > you. I can tell you that it WILL trigger "iphostname" for you > thought: 20989 -> 209 and 89 which are two of your IP octets. Hmm, interesting. I set them up this way because we have two seperate IP blocks (small ones though) - I can change my scheme, probably just use the last octet for now since they will be unique for my set of IP's. > I'll look in to the baddns part though. Great, thanks, let me know if you need any additional info - I'm replying to the other response which will have the full message headers. Josh
Re: Hmm - a server I manage is triggering Botnet
Josh Trutwin wrote: I'm the admin for the IP below and got this on a different server I manage: 5.0 BOTNET Relay might be a spambot or virusbot [botnet0.7,ip=209.18.107.89,hostname=netbits.us,maildomain=davidtrutwin.com,baddns] I guess this is because of full-circle DNS, but I'm not sure how to correct the issue. I have this IP's reverse DNS setup like so: # dnsname 209.18.107.89 ptr-20989.fastconcepts.net # dnsip ptr-20989.fastconcepts.net 209.18.107.89 I thought this was correct for full-circle DNS? That is odd... I don't know why it's triggering "baddns" for you. I can tell you that it WILL trigger "iphostname" for you thought: 20989 -> 209 and 89 which are two of your IP octets. I'll look in to the baddns part though.
RE: Hmm - a server I manage is triggering Botnet
Can you provide more of the headers? You post from trutwins.homeip.net Botnet complains about netbits.us and davidtrutwin.com trutwins.homeip.net has no MX record homeip.net MX isn't 209.18.107.89 davidtrutwin.com MX isn't 209.18.107.89 209.18.107.89 says fastconcepts.com in it's HELO However, the DNS and PTR for 209.18.107.89 are fine. Dan -Original Message- From: Josh Trutwin [mailto:[EMAIL PROTECTED] Sent: Friday, January 26, 2007 2:25 PM To: users@spamassassin.apache.org Subject: Hmm - a server I manage is triggering Botnet I'm the admin for the IP below and got this on a different server I manage: 5.0 BOTNET Relay might be a spambot or virusbot [botnet0.7,ip=209.18.107.89,hostname=netbits.us,maildomain=davidtrutwin.com, baddns] I guess this is because of full-circle DNS, but I'm not sure how to correct the issue. I have this IP's reverse DNS setup like so: # dnsname 209.18.107.89 ptr-20989.fastconcepts.net # dnsip ptr-20989.fastconcepts.net 209.18.107.89 I thought this was correct for full-circle DNS? Thanks, Josh
Hmm - a server I manage is triggering Botnet
I'm the admin for the IP below and got this on a different server I manage: 5.0 BOTNET Relay might be a spambot or virusbot [botnet0.7,ip=209.18.107.89,hostname=netbits.us,maildomain=davidtrutwin.com,baddns] I guess this is because of full-circle DNS, but I'm not sure how to correct the issue. I have this IP's reverse DNS setup like so: # dnsname 209.18.107.89 ptr-20989.fastconcepts.net # dnsip ptr-20989.fastconcepts.net 209.18.107.89 I thought this was correct for full-circle DNS? Thanks, Josh
