On 05/01/2011 6:22 PM, Michael Monnerie wrote:
Dear list,
I received this info from a customer, whose order confirmation from the
londontheatredirect.com got marked as spam because of BOTNET* rules. Are
those rules too old, or is that server in a botnet? How to find out?
Or which rules scores should I tune to optimize?
---------- Forwarded message ----------
Datum: Dienstag, 28. Dezember 2010
Preview: LondonTheatreDirect.com Order confirmation Many thanks for
your order, christian enserer Please print this confirmation for your
reference
[...]
Analyse Details: (6.0 points, 5.0 required)
Pkt Name der Regel Beschreibung
---- ----------------------
-------------------------------------------------
-0.5 L_P0F_D7 L_P0F_D7
0.5 L_P0F_W Relayed through Windows OS except Windows XP
0.0 RELAY_UK Relayed through Brittan
2.2 BOTNET Relay might be a spambot or virusbot
[botnet0.8,ip=88.208.245.26,rdns=server88-208-245-26.live-
servers.net,maildo
main=londontheatredir...
0.3 BOTNET_IPINHOSTNAME Hostname contains its own IP address
[botnet_ipinhosntame,ip=88.208.245.26,rdns=server88-208-245-26.live-
servers.
net]
0.0 BOTNET_CLIENT Relay has a client-like hostname
[botnet_client,ip=88.208.245.26,rdns=server88-208-245-26.live-
servers.net,ip
inhostname]
-0.0 BAYES_40 BODY: Bayes spam probability is 20 to 40%
[score: 0.3460]
0.0 HTML_MESSAGE BODY: HTML included in message
0.5 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
0.4 HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML tag
1.0 RDNS_DYNAMIC Delivered to internal network by host with
dynamic-looking rDNS
0.0 LOTS_OF_MONEY Huge... sums of money
1.6 BOTNET_WIN Mail from Windows XP which seems to be in a
Botnet
I would suspect that you are using non-standard rules. What's most
concerning is the old p0f rules that are looking for Windows XP. That is
dangerous and a bad thing to use as a rule (the OS of the sender).
I would remove the p0f and botnet rules if I were you. That would solve
your problem.
Regards,
Lawrence
