interesting. the ipv6 address is correct, spock.dilkie.com was the source of the email.
however, the quoted ipv4 address, 216.191.234.70 is my employer's mail gateway (Mitel), and I suspect the script grabbed the ip address I used to send the test message to my server that was relayed to Yves. (ie. the first hop was ipv4, the second was ipv6). -lee On 7/2/2011 4:06 AM, Yves Goergen wrote: > On 30.06.2011 13:06 CE(S)T, Matthew Newton wrote: >> On Wed, Jun 29, 2011 at 09:59:52PM +0200, Yves Goergen wrote: >>>> Received: from sp***ck.di***ie.com ([2001:***::40]) >>>> by do***rd.de with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) >>>> (Exim 4.71) >>>> (envelope-from <L***e@Di***ie.com>) >>>> id 1Qc0UA-0001R3-DT >>>> for nospam.list@un***ed.de; Wed, 29 Jun 2011 21:31:44 +0200 >>>> X-Spam-Report: Content analysis details: >>>> 0.2 BOTNET Relay might be a spambot or virusbot >>>> >>>> [botnet0.8,ip=2**.1**.2**.7*,maildomain=Di***ie.com,nordns] >>> Doesn't seem to work. It's a false positive again. And Botnet recognises >>> the incoming IPv6 address as some IPv4 address and reports that one. >> That doesn't look right - unless your munging has really messed it >> up. BOTNET seemed to check an IPv4 address there: "2**.1**.2**.7*" >> >> Do a dig -x against that IPv4 address, and the 2001:***::40 >> address, and see if both have correct PTRs. > I cannot interpret the results: > >> $ dig -x 216.191.234.70 >> >> ; <<>> DiG 9.7.0-P1 <<>> -x 216.191.234.70 >> ;; global options: +cmd >> ;; Got answer: >> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 22386 >> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 >> >> ;; QUESTION SECTION: >> ;70.234.191.216.in-addr.arpa. IN PTR >> >> ;; AUTHORITY SECTION: >> 234.191.216.in-addr.arpa. 3446 IN SOA >> ns1.business.allstream.net. hostmaster.business.allstream.net. 2010030901 >> 3600 900 604800 21600 >> >> ;; Query time: 1 msec >> ;; SERVER: 2a01:4f8:121:5161::2#53(2a01:4f8:121:5161::2) >> ;; WHEN: Sat Jul 2 10:02:25 2011 >> ;; MSG SIZE rcvd: 118 > and > >> $ dig -x 2001:470:8900::40 >> >> ; <<>> DiG 9.7.0-P1 <<>> -x 2001:470:8900::40 >> ;; global options: +cmd >> ;; Got answer: >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34084 >> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 >> >> ;; QUESTION SECTION: >> ;0.4.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.9.8.0.7.4.0.1.0.0.2.ip6.arpa. >> IN PTR >> >> ;; ANSWER SECTION: >> 0.4.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.9.8.0.7.4.0.1.0.0.2.ip6.arpa. >> 3600 IN PTR spock.dilkie.com. >> >> ;; Query time: 1141 msec >> ;; SERVER: 2a01:4f8:121:5161::2#53(2a01:4f8:121:5161::2) >> ;; WHEN: Sat Jul 2 10:02:38 2011 >> ;; MSG SIZE rcvd: 120 > (I figured out it's useless to obfuscate addresses and names here as > they're sent over the list as well.) >
