On 30.06.2011 13:06 CE(S)T, Matthew Newton wrote: > On Wed, Jun 29, 2011 at 09:59:52PM +0200, Yves Goergen wrote: >>> Received: from sp***ck.di***ie.com ([2001:***::40]) >>> by do***rd.de with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) >>> (Exim 4.71) >>> (envelope-from <L***e@Di***ie.com>) >>> id 1Qc0UA-0001R3-DT >>> for nospam.list@un***ed.de; Wed, 29 Jun 2011 21:31:44 +0200 >>> X-Spam-Report: Content analysis details: >>> 0.2 BOTNET Relay might be a spambot or virusbot >>> >>> [botnet0.8,ip=2**.1**.2**.7*,maildomain=Di***ie.com,nordns] >> Doesn't seem to work. It's a false positive again. And Botnet recognises >> the incoming IPv6 address as some IPv4 address and reports that one. > > That doesn't look right - unless your munging has really messed it > up. BOTNET seemed to check an IPv4 address there: "2**.1**.2**.7*" > > Do a dig -x against that IPv4 address, and the 2001:***::40 > address, and see if both have correct PTRs.
I cannot interpret the results: > $ dig -x 216.191.234.70 > > ; <<>> DiG 9.7.0-P1 <<>> -x 216.191.234.70 > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 22386 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 > > ;; QUESTION SECTION: > ;70.234.191.216.in-addr.arpa. IN PTR > > ;; AUTHORITY SECTION: > 234.191.216.in-addr.arpa. 3446 IN SOA > ns1.business.allstream.net. hostmaster.business.allstream.net. 2010030901 > 3600 900 604800 21600 > > ;; Query time: 1 msec > ;; SERVER: 2a01:4f8:121:5161::2#53(2a01:4f8:121:5161::2) > ;; WHEN: Sat Jul 2 10:02:25 2011 > ;; MSG SIZE rcvd: 118 and > $ dig -x 2001:470:8900::40 > > ; <<>> DiG 9.7.0-P1 <<>> -x 2001:470:8900::40 > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34084 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 > > ;; QUESTION SECTION: > ;0.4.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.9.8.0.7.4.0.1.0.0.2.ip6.arpa. IN > PTR > > ;; ANSWER SECTION: > 0.4.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.9.8.0.7.4.0.1.0.0.2.ip6.arpa. > 3600 IN PTR spock.dilkie.com. > > ;; Query time: 1141 msec > ;; SERVER: 2a01:4f8:121:5161::2#53(2a01:4f8:121:5161::2) > ;; WHEN: Sat Jul 2 10:02:38 2011 > ;; MSG SIZE rcvd: 120 (I figured out it's useless to obfuscate addresses and names here as they're sent over the list as well.) -- Yves Goergen "LonelyPixel" <nospam.l...@unclassified.de> Visit my web laboratory at http://beta.unclassified.de