You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Bret Miller <br...@wcg.org> on 2007/08/21 21:15:27 UTC
BOTNET Exceptions for Today
I keep saying that I have false positives with botnet, but haven't
substantiated that to date. So, today I'm spending a little time making
exceptions since I would like this to work. Here are todays:
Americanpayroll.org, sent from IP 67.106.104.135, resolves to
67.106.106.135.ptr.us.xo.net #OK, that's just stupid.
Enews.webbuyersguide.com (part of Ziff-Davis Media), sent from IP
204.92.135.90, resolves to smtp22.enews.webbuyersguide.com #not sure why
this got a BOTNET=1 flag, but it did. Also find hosts 92, 75, 70, 74, 93,
86, and others. All similarly resolve to smtpnn.enews.webbuyersguide.com.
meridiencancun.com.mx, sent from IP , resolves to
customer-148-233-9-212.uninet-ide.com.mx #more stupidity
Wordreference.com (WordReference Forums), sent from IP 75.126.51.99,
resolves to www2mail.wordreference.com, again no idea why it gets flagged.
Cityofpasadena.net (City of Pasadena, California), sent from IP 204.89.9.11,
resolves to 204-89-9-11-cityofpasadena.net, ns3.pasadenapubliclibrary.com,
and ns3.cityofpasadena.net. What's with all this putting of IP addresses in
the host name...
AltoEdge Hardware, sent from IP 69.94.122.246, resolves to
server.nch.com.au, another no idea why BOTNET=1, but it does. Just out of
curiosity, I ran this through again with debug enabled so I could get more
details. Here's what it says:
[2472] dbg: Botnet: starting
[2472] dbg: Botnet: no trusted relays
[2472] dbg: Botnet: get_relay didn't find RDNS
[2472] dbg: Botnet: IP is '69.94.122.246'
[2472] dbg: Botnet: RDNS is 'server.nch.com.au'
[2472] dbg: Botnet: HELO is 'server.nch.com.au'
[2472] dbg: Botnet: sender 'admin1@server.nch.com.au'
[2472] dbg: Botnet: hit (baddns)
[2472] dbg: rules: ran eval rule BOTNET ======> got hit (1)
I'm not sure what it means. The IP resolves to server.nch.com.au and it
resolves to the IP. Not sure what is "bad" about dns here. I'm also not sure
what headers botnet looks at. The top Received header is ours and the others
are all internal to the sender.
Return-Path: <ad...@server.nch.com.au>
Received: from [69.94.122.246] (HELO server.nch.com.au)
by mail.wcg.org (CommuniGate Pro SMTP 5.1.11)
with ESMTPS id 22264274 for xxxx@wcg.org; Tue, 21 Aug 2007 09:58:14 -0700
Received: from server.nch.com.au (localhost.localdomain [127.0.0.1])
by server.nch.com.au (8.12.11/8.12.11) with ESMTP id l7LHRYOp002918
for <xx...@wcg.org>; Tue, 21 Aug 2007 13:27:34 -0400
Received: (from admin1@localhost)
by server.nch.com.au (8.12.11/8.12.11/Submit) id l7LHRXY5001737;
Tue, 21 Aug 2007 13:27:33 -0400
Date: Tue, 21 Aug 2007 13:27:33 -0400
Message-Id: <20...@server.nch.com.au>
To: xxxx@wcg.org
From: "AltoEdge Hardware Orders" <do...@altoedge.com>
Subject: Online Hardware Order (ref: HW13315)
Enough time spent today... More at a later date. I've had actual complaints
about 2 of the exceptions listed above, and as you might surmise from above,
I only run with the score set to 1. I'd like it higher, but there are tons
more of these that I have to make exceptions for before I can do that. It's
a good idea-- too bad there isn't a way to make it somewhat more accurate.
Bret
Re: BOTNET Exceptions for Today
Posted by Kai Schaetzl <ma...@conactive.com>.
Bret Miller wrote on Tue, 21 Aug 2007 12:15:27 -0700:
> Enews.webbuyersguide.com (part of Ziff-Davis Media), sent from IP
> 204.92.135.90, resolves to smtp22.enews.webbuyersguide.com #not sure why
> this got a BOTNET=1 flag, but it did. Also find hosts 92, 75, 70, 74, 93,
> 86, and others. All similarly resolve to smtpnn.enews.webbuyersguide.com.
But smtp22.enews.webbuyersguide.com doesn't resolve, *very* stupid.
> Wordreference.com (WordReference Forums), sent from IP 75.126.51.99,
> resolves to www2mail.wordreference.com, again no idea why it gets flagged.
dns is ok, might be hitting some clientword, didn't check.
> AltoEdge Hardware, sent from IP 69.94.122.246, resolves to
> server.nch.com.au,
but server.nch.com.au not to 69.94.122.246, but to 69.94.122.247.
Kai
--
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com
Re: BOTNET Exceptions for Today
Posted by John Rudd <jr...@ucsc.edu>.
SM wrote:
> The
> server.nch.com.au case is an interesting one. Technically, there isn't
> anything wrong with that setup. But I digress as we are talking about
> antispam here.
Technically, there is a problem with it: it violates best practices
asserted by RFC 1912, section 2.1, which warns that not having matching
PTR and A records can cause a loss/denial of internet services.
RE: BOTNET Exceptions for Today
Posted by SM <sm...@resistor.net>.
At 13:08 21-08-2007, Bret Miller wrote:
>When I see on the list that many people run botnet with ZERO false
>positives, I have to ask myself, "how? And why is our setup here so
>different?" Perhaps they already block email with invalid rdns at the MTA
Your setup is different as your users communicate with people from
different countries and from various groups. Rules such as botnet
cannot have a zero false positive in such as case.
>level, so none of this ever gets looked at. Perhaps their users just give up
>when they don't get email that they expect and use a free email account
>instead for that email. I don't know, but botnet hits a significant amount
Yes, that's what some people do.
>I just don't have the option of telling our president's assistant that "we
>can't accept email from your husband because the IT department at the City
>of Pasadena won't fix their DNS issues for their email server." That's just
Why not? :-)
>not acceptable in a corporate environment, even if she had a clue what the
>statement meant besides that I was refusing to do what she wants. The
Agreed.
>majority of these badly configured servers won't ever get fixed unless
>someone that matters to them stands up and tells them they need to fix it. I
>do that when I can, but most of the time I just don't matter enough to get
>it done.
Even then, it can prove difficult to get them fixed. The
server.nch.com.au case is an interesting one. Technically, there
isn't anything wrong with that setup. But I digress as we are
talking about antispam here.
Regards,
-sm
RE: BOTNET Exceptions for Today
Posted by Bret Miller <br...@wcg.org>.
> At 12:36 21-08-2007, John Rudd wrote:
> ># nslookup www2mail.wordreference.com
> >
> >Non-authoritative answer:
> >Name: www2mail.wordreference.com
> >Address: 75.126.29.11
> >
> >baddns.
>
> There's an authoritative answer for www2mail.wordreference.com.
>
> ># nslookup server.nch.com.au
> >
> >Non-authoritative answer:
> >Name: server.nch.com.au
> >Address: 69.94.122.247
>
> And one for server.nch.com.au as well.
The point isn't authoritative or not. The point is that the email was sent
(in the last case) from 69.94.122.246, which resolves back to
server.nch.com.au, which resolves to 69.94.122.247, a DIFFERENT IP address.
The sending IP need RDNS and that RDNS name needs to resolve back to the
same IP, otherwise, it's broken.
Bret
Re: BOTNET Exceptions for Today
Posted by SM <sm...@resistor.net>.
At 12:36 21-08-2007, John Rudd wrote:
># nslookup www2mail.wordreference.com
>
>Non-authoritative answer:
>Name: www2mail.wordreference.com
>Address: 75.126.29.11
>
>baddns.
There's an authoritative answer for www2mail.wordreference.com.
># nslookup server.nch.com.au
>
>Non-authoritative answer:
>Name: server.nch.com.au
>Address: 69.94.122.247
And one for server.nch.com.au as well.
Regards,
-sm
Re: BOTNET Exceptions for Today
Posted by Kai Schaetzl <ma...@conactive.com>.
Bret Miller wrote on Tue, 21 Aug 2007 13:08:06 -0700:
> When I see on the list that many people run botnet with ZERO false
> positives, I have to ask myself, "how? And why is our setup here so
> different?" Perhaps they already block email with invalid rdns at the MTA
> level, so none of this ever gets looked at. Perhaps their users just give up
> when they don't get email that they expect and use a free email account
> instead for that email. I don't know, but botnet hits a significant amount
> of legitimate email here, regardless of how badly configured the sending
> servers are.
Well, the point is: do you want to accept mail from servers that are not
correctly set up? Then better don't use Botnet or use lower scores.
Kai
--
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com
Re: BOTNET Exceptions for Today
Posted by Steven Kurylo <st...@aviawest.com>.
>
> I don't know, but botnet hits a significant amount
> of legitimate email here, regardless of how badly configured the sending
> servers are.
>
I set botnet to score two, and I flag as spam at four. Every time I've
had a false positive botnet hit, other rules have been enough to keep
the score below four. When I first configured botnet I monitored it
closely and didn't find a single instance of it pushing ham over four.
Of course my email profile is probably very different from yours. You
need to find your own proper balance of scores.
> I just don't have the option of telling our president's assistant that "we
> can't accept email from your husband because the IT department at the City
> of Pasadena won't fix their DNS issues for their email server." That's just
> not acceptable in a corporate environment
Really? Then I wouldn't want to work in that corporate environment. Of
course I believe if you're marking a message as spam solely based on
botnet, then your server is misconfigured. But as I said, each to his
own mail profile.
Re: BOTNET Exceptions for Today
Posted by Michael Alan Dorman <md...@tendentious.org>.
On Tue, 21 Aug 2007 16:56:27 -0500
Andy Sutton <ne...@pessimists.net> wrote:
> On Tue, 2007-08-21 at 13:42 -0700, John Rudd wrote:
> > b) Botnet gets 0% false positives at one of my services (not just
> > "borked DNS == bad", as you're suggesting, but actual "everything
> > that triggered botnet was actually spam"). And, yes, I actually
> > check
>
> I never suggested that.
Um, you suggested _exactly_ that. From the message John was replying to
(<11...@sutton-laptop>):
On Tue, 2007-08-21 at 13:08 -0700, Bret Miller wrote:
> When I see on the list that many people run botnet with ZERO false
> positives, I have to ask myself, "how?
Anyone who claims that isn't really looking at the email they are
blocking, or don't believe borked DNS qualify as a FP.
> A bit tetchy today?
When you're presenting hyperbole as reasoned commentary, seems to me
John has a right to be tetchy.
If you had said what you said in this message originally, I suspect you
would have gotten a different response.
Mike.
Re: BOTNET Exceptions for Today
Posted by Andy Sutton <ne...@pessimists.net>.
On Tue, 2007-08-21 at 13:42 -0700, John Rudd wrote:
> b) Botnet gets 0% false positives at one of my services (not just
> "borked DNS == bad", as you're suggesting, but actual "everything that
> triggered botnet was actually spam"). And, yes, I actually check
I never suggested that. My thoughts were more along the lines of
business critical email (oxymoron I know) that is sent from a clueless
setup. I'm glad you have not run into that situation yet, but as time
goes on the probability of FP increases to 1. That goes with any setup,
not just botnet specific ones.
> You might want to have an actual basis for your claims before you go
> off making poorly informed generalizations about other people's mail
> environments.
A bit tetchy today? I'm not saying botnet is bad, as it obviously works
for a lot of people. I also think it's great that you decided to share
your work. However, you have to agree 0% FP is similar to saying 100%
uptime. It may be fact right now, but tomorrow is always a different
story.
--
- Andy
The test of courage comes when we are in the minority. The test of
tolerance comes when we are in the majority.
- Ralph W. Sockman
Re: BOTNET Exceptions for Today
Posted by John Rudd <jr...@ucsc.edu>.
Andy Sutton wrote:
> On Tue, 2007-08-21 at 13:08 -0700, Bret Miller wrote:
>> When I see on the list that many people run botnet with ZERO false
>> positives, I have to ask myself, "how?
>
> Anyone who claims that isn't really looking at the email they are
> blocking, or don't believe borked DNS qualify as a FP.
a) I don't block based on botnet, I mark as spam based on botnet.
b) Botnet gets 0% false positives at one of my services (not just
"borked DNS == bad", as you're suggesting, but actual "everything that
triggered botnet was actually spam"). And, yes, I actually check.
You might want to have an actual basis for your claims before you go off
making poorly informed generalizations about other people's mail
environments.
RE: BOTNET Exceptions for Today
Posted by Andy Sutton <ne...@pessimists.net>.
On Tue, 2007-08-21 at 13:08 -0700, Bret Miller wrote:
> When I see on the list that many people run botnet with ZERO false
> positives, I have to ask myself, "how?
Anyone who claims that isn't really looking at the email they are
blocking, or don't believe borked DNS qualify as a FP.
> "we can't accept email from your husband because the IT department at
> the City of Pasadena won't fix their DNS issues for their email
> server."
There are broken email/dns/whatever servers all over the place. It's
one of the reasons I don't use botnet, since I lean more towards pass
rather than block. If I did, I wouldn't use the default scores. They
are very aggressive and wouldn't work well in my environment.
--
- Andy
The test of courage comes when we are in the minority. The test of
tolerance comes when we are in the majority.
- Ralph W. Sockman
RE: BOTNET Exceptions for Today
Posted by Bret Miller <br...@wcg.org>.
> Bret Miller wrote:
>
> > Enews.webbuyersguide.com (part of Ziff-Davis Media), sent from IP
> > 204.92.135.90, resolves to smtp22.enews.webbuyersguide.com
> #not sure why
> > this got a BOTNET=1 flag, but it did. Also find hosts 92,
> 75, 70, 74, 93,
> > 86, and others. All similarly resolve to
> smtpnn.enews.webbuyersguide.com.
>
> baddns. baddns means lack of full circle DNS. In this case,
> the name
> returned by the PTR record (smtp22.enews.webbuyersguide.com) does not
> resolve at all ... let alone not resolving back to the
> sending IP address.
>
>
> > meridiencancun.com.mx, sent from IP , resolves to
> > customer-148-233-9-212.uninet-ide.com.mx #more stupidity
> >
> > Wordreference.com (WordReference Forums), sent from IP 75.126.51.99,
> > resolves to www2mail.wordreference.com, again no idea why
> it gets flagged.
>
> # nslookup www2mail.wordreference.com
>
> Non-authoritative answer:
> Name: www2mail.wordreference.com
> Address: 75.126.29.11
>
> baddns.
>
>
> > AltoEdge Hardware, sent from IP 69.94.122.246, resolves to
> > server.nch.com.au, another no idea why BOTNET=1, but it
> does. Just out of
> > curiosity, I ran this through again with debug enabled so I
> could get more
> > details. Here's what it says:
> >
> > [2472] dbg: Botnet: starting
> > [2472] dbg: Botnet: no trusted relays
> > [2472] dbg: Botnet: get_relay didn't find RDNS
> > [2472] dbg: Botnet: IP is '69.94.122.246'
> > [2472] dbg: Botnet: RDNS is 'server.nch.com.au'
> > [2472] dbg: Botnet: HELO is 'server.nch.com.au'
> > [2472] dbg: Botnet: sender 'admin1@server.nch.com.au'
> > [2472] dbg: Botnet: hit (baddns)
> > [2472] dbg: rules: ran eval rule BOTNET ======> got hit (1)
> >
> > I'm not sure what it means. The IP resolves to
> server.nch.com.au and it
> > resolves to the IP. Not sure what is "bad" about dns here.
> I'm also not sure
> > what headers botnet looks at. The top Received header is
> ours and the others
> > are all internal to the sender.
>
> # nslookup server.nch.com.au
>
> Non-authoritative answer:
> Name: server.nch.com.au
> Address: 69.94.122.247
>
> So, server.nch.com.au's name does not resolve back to the sending IP
> address, thus baddns.
OK... I guess I didn't check closely enough. But the point is still that
users expect these emails and complain if they don't receive them. Today's
list were mostly just top offenders, and it's going to take me time to make
exceptions for all the servers we receive email from that are badly
configured dns-wise.
Maybe these aren't false positives because botnet is identifying them for
what they are-- badly configured. But to give a rule like botnet a default
score that's high enough to consider the messages spam all on its own causes
users to think we have a bad spam filtering program.
When I see on the list that many people run botnet with ZERO false
positives, I have to ask myself, "how? And why is our setup here so
different?" Perhaps they already block email with invalid rdns at the MTA
level, so none of this ever gets looked at. Perhaps their users just give up
when they don't get email that they expect and use a free email account
instead for that email. I don't know, but botnet hits a significant amount
of legitimate email here, regardless of how badly configured the sending
servers are.
I just don't have the option of telling our president's assistant that "we
can't accept email from your husband because the IT department at the City
of Pasadena won't fix their DNS issues for their email server." That's just
not acceptable in a corporate environment, even if she had a clue what the
statement meant besides that I was refusing to do what she wants. The
majority of these badly configured servers won't ever get fixed unless
someone that matters to them stands up and tells them they need to fix it. I
do that when I can, but most of the time I just don't matter enough to get
it done.
Bret
Re: BOTNET Exceptions for Today
Posted by John Rudd <jr...@ucsc.edu>.
Bret Miller wrote:
> Enews.webbuyersguide.com (part of Ziff-Davis Media), sent from IP
> 204.92.135.90, resolves to smtp22.enews.webbuyersguide.com #not sure why
> this got a BOTNET=1 flag, but it did. Also find hosts 92, 75, 70, 74, 93,
> 86, and others. All similarly resolve to smtpnn.enews.webbuyersguide.com.
baddns. baddns means lack of full circle DNS. In this case, the name
returned by the PTR record (smtp22.enews.webbuyersguide.com) does not
resolve at all ... let alone not resolving back to the sending IP address.
> meridiencancun.com.mx, sent from IP , resolves to
> customer-148-233-9-212.uninet-ide.com.mx #more stupidity
>
> Wordreference.com (WordReference Forums), sent from IP 75.126.51.99,
> resolves to www2mail.wordreference.com, again no idea why it gets flagged.
# nslookup www2mail.wordreference.com
Non-authoritative answer:
Name: www2mail.wordreference.com
Address: 75.126.29.11
baddns.
> AltoEdge Hardware, sent from IP 69.94.122.246, resolves to
> server.nch.com.au, another no idea why BOTNET=1, but it does. Just out of
> curiosity, I ran this through again with debug enabled so I could get more
> details. Here's what it says:
>
> [2472] dbg: Botnet: starting
> [2472] dbg: Botnet: no trusted relays
> [2472] dbg: Botnet: get_relay didn't find RDNS
> [2472] dbg: Botnet: IP is '69.94.122.246'
> [2472] dbg: Botnet: RDNS is 'server.nch.com.au'
> [2472] dbg: Botnet: HELO is 'server.nch.com.au'
> [2472] dbg: Botnet: sender 'admin1@server.nch.com.au'
> [2472] dbg: Botnet: hit (baddns)
> [2472] dbg: rules: ran eval rule BOTNET ======> got hit (1)
>
> I'm not sure what it means. The IP resolves to server.nch.com.au and it
> resolves to the IP. Not sure what is "bad" about dns here. I'm also not sure
> what headers botnet looks at. The top Received header is ours and the others
> are all internal to the sender.
# nslookup server.nch.com.au
Non-authoritative answer:
Name: server.nch.com.au
Address: 69.94.122.247
So, server.nch.com.au's name does not resolve back to the sending IP
address, thus baddns.
Re: BOTNET Exceptions for Today
Posted by Henrik Krohns <he...@hege.li>.
On Tue, Aug 21, 2007 at 05:54:14PM -0500, René Berber wrote:
> Bret Miller wrote:
>
> > I keep saying that I have false positives with botnet, but haven't
> > substantiated that to date. So, today I'm spending a little time making
> > exceptions since I would like this to work. Here are todays:
> [snip]
>
> > meridiencancun.com.mx, sent from IP , resolves to
> > customer-148-233-9-212.uninet-ide.com.mx #more stupidity
>
> Here's a good example of why Botnet's default score is too high
It's really not the score, it's the silly baddns rule. It probably achieves
nothing than FPs and excites some peoples quest for bad RFC.
To blame the users, you shouldn't blindly trust default settings for
anything, even if they came from SA directly. Ignorance/helplessness isn't
an excuse, you should understand what tests are done and if they are sane.
You are free to change the Botnet score and rules and use only the
server/clientwords stuff, which is the only method I use.
Re: BOTNET Exceptions for Today
Posted by John Rudd <jr...@ucsc.edu>.
Robert Fitzpatrick wrote:
> On Wed, 2007-08-22 at 08:58 +0100, Martin.Hepworth wrote:
>> Botnet 0.8 is a lot better than 0.7 - please upgrade if you don't already.
>>
>
> How do you tell what version you have? I cannot find it anywhere in the
> files, so I downloaded 0.8 and diff'd the pm against what I have and no
> differences. I guess that means I'm running 0.8?
>
grep VERSION Botnet.pm | head -1
RE: BOTNET Exceptions for Today
Posted by Robert Fitzpatrick <li...@webtent.net>.
On Wed, 2007-08-22 at 08:58 +0100, Martin.Hepworth wrote:
> Botnet 0.8 is a lot better than 0.7 - please upgrade if you don't already.
>
How do you tell what version you have? I cannot find it anywhere in the
files, so I downloaded 0.8 and diff'd the pm against what I have and no
differences. I guess that means I'm running 0.8?
--
Robert
RE: BOTNET Exceptions for Today
Posted by "Martin.Hepworth" <ma...@solidstatelogic.com>.
> -----Original Message-----
> From: news [mailto:news@sea.gmane.org] On Behalf Of René Berber
> Sent: 22 August 2007 07:42
> To: users@spamassassin.apache.org
> Subject: Re: BOTNET Exceptions for Today
>
> John Rudd wrote:
>
> > René Berber wrote:
> >> Here's a good example of why Botnet's default score is too high, those
> >> guys at
> >> meridiencancun have a so called "Enterprise account" with their ISP,
> >> what they
> >> get is a fixed IP and no control over reverse DNS, that's why the
> reverse
> >> returns what the ISP configured. Best practices and other fiction
> >> don't apply
> >> to the real world in cases like this.
> >
> > As for "best practices" being "fiction" that "doesn't apply to the real
> > world" ... it's rinky-dink mail servers run by people with half-assed
> > opinions like that that cause there to be such a huge number of
> > exploited mail servers on the planet.
>
> Exploited mail servers are badly configured mail servers, that's a whole
> different subject from what is being discussed.
>
> > People who think "best practices" are "fiction" are the scourge that
> > makes the internet such an unreliable place.
> >
> > Here kid, have a nickel. Go buy yourself a real mail server.
>
> I'm not a kid, so I would appreciate some respect. If you think I don't
> know
> what I'm talking about, that's your prerogative, you don't really know me.
> --
> René Berber
Ok here's my 2 pence worth.
Botnet 0.8 is a lot better than 0.7 - please upgrade if you don't already.
Personally I find the big meta-rule a big heavy (or did at 0.7 anyway). I run the rules separately which give me better results and also better visibility as to why botnet fired.
A lot of these "false positive" errors are down to 1) lack of education and the commercial mass mailers pretending to send out from the client but still resolving back to the mass emailer.
Here's an example of how MailScanner handles this with it's phishing net system. There's a big whitelist file that you can 1) add you own stuff to and 2) download updates for (which doesn't overwrite your whitelist).
Perhaps people need to get together with John to produce some sort of botnet whitelist rbl for known 'good' commercial mass emailers like ems6.net?????
I'll shut up now ;-)
--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300
**********************************************************************
Confidentiality : This e-mail and any attachments are intended for the
addressee only and may be confidential. If they come to you in error
you must take no action based on them, nor must you copy or show them
to anyone. Please advise the sender by replying to this e-mail
immediately and then delete the original from your computer.
Opinion : Any opinions expressed in this e-mail are entirely those of
the author and unless specifically stated to the contrary, are not
necessarily those of the author's employer.
Security Warning : Internet e-mail is not necessarily a secure
communications medium and can be subject to data corruption. We advise
that you consider this fact when e-mailing us.
Viruses : We have taken steps to ensure that this e-mail and any
attachments are free from known viruses but in keeping with good
computing practice, you should ensure that they are virus free.
Red Lion 49 Ltd T/A Solid State Logic
Registered as a limited company in England and Wales
(Company No:5362730)
Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU,
United Kingdom
**********************************************************************
Re: BOTNET Exceptions for Today
Posted by René Berber <r....@computer.org>.
John Rudd wrote:
> René Berber wrote:
>> Here's a good example of why Botnet's default score is too high, those
>> guys at
>> meridiencancun have a so called "Enterprise account" with their ISP,
>> what they
>> get is a fixed IP and no control over reverse DNS, that's why the reverse
>> returns what the ISP configured. Best practices and other fiction
>> don't apply
>> to the real world in cases like this.
>
> As for "best practices" being "fiction" that "doesn't apply to the real
> world" ... it's rinky-dink mail servers run by people with half-assed
> opinions like that that cause there to be such a huge number of
> exploited mail servers on the planet.
Exploited mail servers are badly configured mail servers, that's a whole
different subject from what is being discussed.
> People who think "best practices" are "fiction" are the scourge that
> makes the internet such an unreliable place.
>
> Here kid, have a nickel. Go buy yourself a real mail server.
I'm not a kid, so I would appreciate some respect. If you think I don't know
what I'm talking about, that's your prerogative, you don't really know me.
--
René Berber
Re: BOTNET Exceptions for Today
Posted by John Rudd <jr...@ucsc.edu>.
René Berber wrote:
> Bret Miller wrote:
>
>> I keep saying that I have false positives with botnet, but haven't
>> substantiated that to date. So, today I'm spending a little time making
>> exceptions since I would like this to work. Here are todays:
> [snip]
>
>> meridiencancun.com.mx, sent from IP , resolves to
>> customer-148-233-9-212.uninet-ide.com.mx #more stupidity
>
> Here's a good example of why Botnet's default score is too high, those guys at
> meridiencancun have a so called "Enterprise account" with their ISP, what they
> get is a fixed IP and no control over reverse DNS, that's why the reverse
> returns what the ISP configured. Best practices and other fiction don't apply
> to the real world in cases like this.
As for "best practices" being "fiction" that "doesn't apply to the real
world" ... it's rinky-dink mail servers run by people with half-assed
opinions like that that cause there to be such a huge number of
exploited mail servers on the planet.
People who think "best practices" are "fiction" are the scourge that
makes the internet such an unreliable place.
Here kid, have a nickel. Go buy yourself a real mail server.
> Yes it can be called stupidity, but in this case is the ISP and the legitimate
> business can't do much about it; very few ISPs in the .mx zone allow you any
> control over reverse DNS, perhaps none in the region that hotel operates.
And if they had done something intelligent, like having their mail
domain (meridiencancun.com.mx) have an A record that points to that same
static IP address ... or have an MX record that points back to a
hostname with that static IP address, then Botnet wouldn't catch them.
The only fiction here is that they need to have control of their rDNS in
order to get an exemption from Botnet.
Re: BOTNET Exceptions for Today
Posted by René Berber <r....@computer.org>.
Bret Miller wrote:
> I keep saying that I have false positives with botnet, but haven't
> substantiated that to date. So, today I'm spending a little time making
> exceptions since I would like this to work. Here are todays:
[snip]
> meridiencancun.com.mx, sent from IP , resolves to
> customer-148-233-9-212.uninet-ide.com.mx #more stupidity
Here's a good example of why Botnet's default score is too high, those guys at
meridiencancun have a so called "Enterprise account" with their ISP, what they
get is a fixed IP and no control over reverse DNS, that's why the reverse
returns what the ISP configured. Best practices and other fiction don't apply
to the real world in cases like this.
Yes it can be called stupidity, but in this case is the ISP and the legitimate
business can't do much about it; very few ISPs in the .mx zone allow you any
control over reverse DNS, perhaps none in the region that hotel operates.
[snip]
--
René Berber