On Fri, 26 Jan 2007 14:57:57 -0500 "Dan Barker" <[EMAIL PROTECTED]> wrote:
> Can you provide more of the headers? Sure - here's the complete set: X-Envelope-From: [EMAIL PROTECTED] Received: from netbits.us ([209.18.107.89]) by 0 ([192.168.0.3]) with SMTP via SSL; 25 Jan 2007 23:47:53 -0000 Received: (qmail 1330 invoked by uid 1033); 25 Jan 2007 23:39:43 -0000 Received: from 204.214.24.199 by fastconcepts (envelope-from <[EMAIL PROTECTED]>, uid 0) with qmail-scanner-2.01st (clamdscan: 0.88.7/2484. spamassassin: 3.1.7. perlscan: 2.01st. Clear:RC:1(204.214.24.199):. Processed in 0.055125 secs); 25 Jan 2007 23:39:43 -0000 Received: from 204.214.24.199 ([204.214.24.199]) by fastconcepts.com ([65.17.208.225]) with ESMTP via SSL; 25 Jan 2007 23:39:43 -0000 Message-ID: <[EMAIL PROTECTED]> Date: Thu, 25 Jan 2007 17:47:36 -0600 From: David Trutwin <[EMAIL PROTECTED]> User-Agent: Thunderbird 1.5.0.9 (X11/20070103) MIME-Version: 1.0 To: Josh Trutwin <[EMAIL PROTECTED]> Subject: Re: thought you'd like this References: <[EMAIL PROTECTED]> In-Reply-To: <[EMAIL PROTECTED]> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Here's the SA report (sorry for crappy word wrap): Content analysis details: (5.1 points, 5.0 required) 0.0 DK_POLICY_SIGNSOME Domain Keys: policy says domain signs some mails 5.0 BOTNET Relay might be a spambot or virusbot [botnet0.7,ip=209.18.107.89,hostname=netbits.us,maildomain=davidtrutwin.com,baddns] 1.5 RCVD_NUMERIC_HELO Received: contains an IP address used for HELO -0.2 BAYES_40 BODY: Bayesian spam probability is 20 to 40% [score: 0.3696] -1.2 AWL AWL: From: address is in the auto white-list > You post from trutwins.homeip.net > Botnet complains about netbits.us and davidtrutwin.com > trutwins.homeip.net has no MX record > homeip.net MX isn't 209.18.107.89 > davidtrutwin.com MX isn't 209.18.107.89 > 209.18.107.89 says fastconcepts.com in it's HELO Yeah, I should've been more specific about my situation. The 209.18.107.89 is the sending server - my dad sent me an email, I have his email on the 209 box. trutwins.homeip.net is my home email server on dynamic DNS, I don't care so much about this as I'm the only one that uses it. davidtrutwin.com is on the other of the two small IP blocks I have for the sending server. # dnsmx davidtrutwin.com 0 mail.davidtrutwin.com # dnsip mail.davidtrutwin.com 65.17.208.225 # dnsname 65.17.208.225 netbits.us # dnsip netbits.us 65.17.208.225 I use qmail, and one of the things I've never truly understood is what IP address it picks from the IP block for the message header. On the 209.18.107.89 box I manage about 100 or so domains so if they are hitting botnet, I'm hoping I can figure out why and fix. Botnet's been a great for spam, but I don't want my clients to be false positives. :) > However, the DNS and PTR for 209.18.107.89 are fine. I guess they will trigger a different botnet rule, though I'll fix that (see John's reply). Thanks! Josh
