You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Yves Goergen <no...@unclassified.de> on 2011/07/02 10:06:17 UTC
Re: BOTNET IPv6 patch
On 30.06.2011 13:06 CE(S)T, Matthew Newton wrote:
> On Wed, Jun 29, 2011 at 09:59:52PM +0200, Yves Goergen wrote:
>>> Received: from sp***ck.di***ie.com ([2001:***::40])
>>> by do***rd.de with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
>>> (Exim 4.71)
>>> (envelope-from <L***e@Di***ie.com>)
>>> id 1Qc0UA-0001R3-DT
>>> for nospam.list@un***ed.de; Wed, 29 Jun 2011 21:31:44 +0200
>>> X-Spam-Report: Content analysis details:
>>> 0.2 BOTNET Relay might be a spambot or virusbot
>>> [botnet0.8,ip=2**.1**.2**.7*,maildomain=Di***ie.com,nordns]
>> Doesn't seem to work. It's a false positive again. And Botnet recognises
>> the incoming IPv6 address as some IPv4 address and reports that one.
>
> That doesn't look right - unless your munging has really messed it
> up. BOTNET seemed to check an IPv4 address there: "2**.1**.2**.7*"
>
> Do a dig -x against that IPv4 address, and the 2001:***::40
> address, and see if both have correct PTRs.
I cannot interpret the results:
> $ dig -x 216.191.234.70
>
> ; <<>> DiG 9.7.0-P1 <<>> -x 216.191.234.70
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 22386
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;70.234.191.216.in-addr.arpa. IN PTR
>
> ;; AUTHORITY SECTION:
> 234.191.216.in-addr.arpa. 3446 IN SOA ns1.business.allstream.net. hostmaster.business.allstream.net. 2010030901 3600 900 604800 21600
>
> ;; Query time: 1 msec
> ;; SERVER: 2a01:4f8:121:5161::2#53(2a01:4f8:121:5161::2)
> ;; WHEN: Sat Jul 2 10:02:25 2011
> ;; MSG SIZE rcvd: 118
and
> $ dig -x 2001:470:8900::40
>
> ; <<>> DiG 9.7.0-P1 <<>> -x 2001:470:8900::40
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34084
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;0.4.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.9.8.0.7.4.0.1.0.0.2.ip6.arpa. IN PTR
>
> ;; ANSWER SECTION:
> 0.4.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.9.8.0.7.4.0.1.0.0.2.ip6.arpa. 3600 IN PTR spock.dilkie.com.
>
> ;; Query time: 1141 msec
> ;; SERVER: 2a01:4f8:121:5161::2#53(2a01:4f8:121:5161::2)
> ;; WHEN: Sat Jul 2 10:02:38 2011
> ;; MSG SIZE rcvd: 120
(I figured out it's useless to obfuscate addresses and names here as
they're sent over the list as well.)
--
Yves Goergen "LonelyPixel" <no...@unclassified.de>
Visit my web laboratory at http://beta.unclassified.de
Re: BOTNET IPv6 patch
Posted by Matthew Newton <mc...@leicester.ac.uk>.
Hi Yves,
On Sat, Jul 02, 2011 at 10:06:17AM +0200, Yves Goergen wrote:
> >> Doesn't seem to work. It's a false positive again. And Botnet recognises
> >> the incoming IPv6 address as some IPv4 address and reports that one.
> >
> > That doesn't look right - unless your munging has really messed it
> > up. BOTNET seemed to check an IPv4 address there: "2**.1**.2**.7*"
> >
> > Do a dig -x against that IPv4 address, and the 2001:***::40
> > address, and see if both have correct PTRs.
>
> I cannot interpret the results:
>
> > $ dig -x 216.191.234.70
> > ;; QUESTION SECTION:
> > ;70.234.191.216.in-addr.arpa. IN PTR
No PTR record.
> and
>
> > $ dig -x 2001:470:8900::40
> > ;; QUESTION SECTION:
> > ;0.4.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.9.8.0.7.4.0.1.0.0.2.ip6.arpa. IN PTR
> >
> > ;; ANSWER SECTION:
> > 0.4.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.9.8.0.7.4.0.1.0.0.2.ip6.arpa. 3600 IN PTR spock.dilkie.com.
PTR record exists.
SpamAssassin (or BOTNET, I'm not familiar with the code to know
which one parses the headers in this instance) is seemingly
picking the wrong Received header to work on. Could be your
trusted_networks or internal_networks settings?
If you don't mind, maybe you could send me off-list a complete
copy of the headers of this test message? I can't guarantee
anything, but I'll run it through SpamAssassin here to see if I
can work anything out.
Thanks,
Matthew
--
Matthew Newton, Ph.D. <mc...@le.ac.uk>
Systems Architect (UNIX and Networks), Network Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <it...@le.ac.uk>
Re: BOTNET IPv6 patch
Posted by Lee Dilkie <Le...@dilkie.com>.
interesting.
the ipv6 address is correct, spock.dilkie.com was the source of the email.
however, the quoted ipv4 address, 216.191.234.70 is my employer's mail
gateway (Mitel), and I suspect the script grabbed the ip address I used
to send the test message to my server that was relayed to Yves. (ie. the
first hop was ipv4, the second was ipv6).
-lee
On 7/2/2011 4:06 AM, Yves Goergen wrote:
> On 30.06.2011 13:06 CE(S)T, Matthew Newton wrote:
>> On Wed, Jun 29, 2011 at 09:59:52PM +0200, Yves Goergen wrote:
>>>> Received: from sp***ck.di***ie.com ([2001:***::40])
>>>> by do***rd.de with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
>>>> (Exim 4.71)
>>>> (envelope-from <L***e@Di***ie.com>)
>>>> id 1Qc0UA-0001R3-DT
>>>> for nospam.list@un***ed.de; Wed, 29 Jun 2011 21:31:44 +0200
>>>> X-Spam-Report: Content analysis details:
>>>> 0.2 BOTNET Relay might be a spambot or virusbot
>>>> [botnet0.8,ip=2**.1**.2**.7*,maildomain=Di***ie.com,nordns]
>>> Doesn't seem to work. It's a false positive again. And Botnet recognises
>>> the incoming IPv6 address as some IPv4 address and reports that one.
>> That doesn't look right - unless your munging has really messed it
>> up. BOTNET seemed to check an IPv4 address there: "2**.1**.2**.7*"
>>
>> Do a dig -x against that IPv4 address, and the 2001:***::40
>> address, and see if both have correct PTRs.
> I cannot interpret the results:
>
>> $ dig -x 216.191.234.70
>>
>> ; <<>> DiG 9.7.0-P1 <<>> -x 216.191.234.70
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 22386
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
>>
>> ;; QUESTION SECTION:
>> ;70.234.191.216.in-addr.arpa. IN PTR
>>
>> ;; AUTHORITY SECTION:
>> 234.191.216.in-addr.arpa. 3446 IN SOA ns1.business.allstream.net. hostmaster.business.allstream.net. 2010030901 3600 900 604800 21600
>>
>> ;; Query time: 1 msec
>> ;; SERVER: 2a01:4f8:121:5161::2#53(2a01:4f8:121:5161::2)
>> ;; WHEN: Sat Jul 2 10:02:25 2011
>> ;; MSG SIZE rcvd: 118
> and
>
>> $ dig -x 2001:470:8900::40
>>
>> ; <<>> DiG 9.7.0-P1 <<>> -x 2001:470:8900::40
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34084
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
>>
>> ;; QUESTION SECTION:
>> ;0.4.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.9.8.0.7.4.0.1.0.0.2.ip6.arpa. IN PTR
>>
>> ;; ANSWER SECTION:
>> 0.4.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.9.8.0.7.4.0.1.0.0.2.ip6.arpa. 3600 IN PTR spock.dilkie.com.
>>
>> ;; Query time: 1141 msec
>> ;; SERVER: 2a01:4f8:121:5161::2#53(2a01:4f8:121:5161::2)
>> ;; WHEN: Sat Jul 2 10:02:38 2011
>> ;; MSG SIZE rcvd: 120
> (I figured out it's useless to obfuscate addresses and names here as
> they're sent over the list as well.)
>