John Rudd wrote:
a) if you're big, have reverse DNS that works, looks like a server, and
doesn't look like a client (ie. the things Botnet looks for).
b) if you're small:
i) try to get your ISP to do the right thing (above) with your
reverse DNS, or
ii) get a hosted service that does the right thing (above) with your
reverse DNS, or
iii) use your ISP's outgoing mail server for your outbound mail, or
iv) don't have separate outgoing and incoming mail servers (ie. your
outgoing mail server's IP address should be resolved by a hostname in
either your mail domain's MX record, or your mail domain's A record)
And then use some heuristics like Botnet* to get rid of the hosts that
don't conform to the above.
(* the next version of Botnet is going to have an option for exempting
messages in case b-iv: if the sender's mail domain leads back to the
relay's IP address, then ignore the fact that it has botnet-like DNS ...
but I'll probably put a cap on the number of IP A records and MX records
Botnet will look at, to prevent spammer abuse ... a SOHO shop probably
wouldn't have more than a few)
I've had Botnet 0.6 running for a few days now, with a spamassassin score of 1.0 for
testing. I have only 25 users, and we get about 1000 messages per day, of which
about 75% is spam. Botnet hits on a very large proportion of the spam.
So far I've identified about a dozen of our regular correspondents that run afoul of
botnet. Most of them have the IP address in the reverse DNS problem. For fun, I
tried a few tests of your b-iv rule mentioned above and found that it would not fix
the false positives.
I think the false positives are coming almost entirely from small businesses running
an in-house exchange server. I also think that a lot of them use a filtering service
like postini in front of their exchange machine, which effectively makes it appear
that their incoming and outgoing servers are different.
I haven't decided yet if I will go on a crusade to notify all the problem domains
(they are my clients, so I can't afford to annoy them) or if I will whitelist all of
them or if I will back off on botnet.
Mark
