You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Matus UHLAR - fantomas <uh...@fantomas.sk> on 2007/10/01 10:44:05 UTC

Re: Botnet 0.8 Plugin is available (FINALLY!!!)

> At 02:31 PM 9/28/2007, John Rudd wrote:
> >Consider this senario:
> >
> >   a) user on dynamic IP sends email to their ISP's mail server
> >   b) ISP's mail server submits message to your mail server
> >
> >In your suggested processing, this would generate a false positive: 
> >the message would be marked as a potential botnet even though the 
> >message was handled in a legitimate manner (message went out through 
> >the ISP's mail server instead of coming _directly_ from the dynamic host).

On 28.09.07 14:52, Jerry Durand wrote:
> Our mail server is on a dynamic business line, so we send through our 
> ISPs AUTH port (and have this listed in SPF).  We still get bounced 
> mail from some servers that are scanning all the headers against 
> things like the Zen list.  For a while, Internic was bouncing mailing 
> list digests that had posts from anyone with a dynamic address, seems 
> they were scanning the body of the message, too!

Does your provider puth AUTH information into message headers? If so, those
servers are certainly broken. ZEN containt IPs like dynamic that are not
suppoded to send mail directly, but through their SMTP server. (they are in
PBL which is subset of ZEN). The header check should stop at such headers.
SA does do that

-- 
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
- Holmes, what kind of school did you study to be a detective?
- Elementary, Watson.

Re: Botnet 0.8 Plugin is available (FINALLY!!!)

Posted by "Daryl C. W. O'Shea" <sp...@dostech.ca>.

Jerry Durand wrote:
> On Mon, 2007-10-01 at 10:44 +0200, Matus UHLAR - fantomas wrote:
> 
>> Does your provider puth AUTH information into message headers? If so,
>> those
>> servers are certainly broken. ZEN containt IPs like dynamic that are
>> not
>> suppoded to send mail directly, but through their SMTP server. (they
>> are in
>> PBL which is subset of ZEN). The header check should stop at such
>> headers.
>> SA does do that
>>
> 
> It should, but check the headers on this message (since you'll get a
> private copy from the reply-to-all).
> 
> If I have something set wrong, let me know as I have to move the server
> over to our new Ubuntu system and that would be a good time to fix it.

Your provider does include an auth token... ESMTPA.

Daryl


Received: from smtp.interstellar.com ([71.116.65.33])
  by vms044.mailsrvcs.net (Sun Java System Messaging Server 6.2-6.01 
(built Apr
  3 2006)) with ESMTPA id <0J...@vms044.mailsrvcs.net> for
  users@spamassassin.apache.org; Mon, 01 Oct 2007 12:23:03 -0500 (CDT)

Re: Botnet 0.8 Plugin is available (FINALLY!!!)

Posted by Jerry Durand <jd...@interstellar.com>.

On Mon, 2007-10-01 at 10:44 +0200, Matus UHLAR - fantomas wrote:

> Does your provider puth AUTH information into message headers? If so,
> those
> servers are certainly broken. ZEN containt IPs like dynamic that are
> not
> suppoded to send mail directly, but through their SMTP server. (they
> are in
> PBL which is subset of ZEN). The header check should stop at such
> headers.
> SA does do that
> 

It should, but check the headers on this message (since you'll get a
private copy from the reply-to-all).

If I have something set wrong, let me know as I have to move the server
over to our new Ubuntu system and that would be a good time to fix it.

-- 
Jerry Durand, Durand Interstellar, Inc.
Los Gatos, California, USA, www.interstellar.com
tel:  408-356-3886, Skype:  jerrydurand

Re: Botnet 0.8 Plugin is available (FINALLY!!!)

Posted by Jerry Durand <jd...@interstellar.com>.

Well that didn't totally work, I received a 550 from fantomas.sk.  If anyone is willing to check my headers off-list, contact me with a private e-mail.

I'd like to make sure I have the new system set up right before I add some more domains to it.

Thanks.

On Mon, 2007-10-01 at 10:44 +0200, Matus UHLAR - fantomas wrote:

> Does your provider puth AUTH information into message headers? If so,
> those
> servers are certainly broken. ZEN containt IPs like dynamic that are
> not
> suppoded to send mail directly, but through their SMTP server. (they
> are in
> PBL which is subset of ZEN). The header check should stop at such
> headers.
> SA does do that
> 

It should, but check the headers on this message (since you'll get a
private copy from the reply-to-all).

If I have something set wrong, let me know as I have to move the server
over to our new Ubuntu system and that would be a good time to fix it.

-- 
Jerry Durand, Durand Interstellar, Inc.
Los Gatos, California, USA, www.interstellar.com
tel:  408-356-3886, Skype:  jerrydurand