You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Carlos Horowicz <ca...@infodrive.com.ar> on 2006/12/14 00:58:00 UTC

Botnet question

Hi list,

I came across an e-mail originating at a customer domain hosted in a 
dedicated server provided by my company, whose outgoing relay and 
incoming MX are the same, namely mx0.<domain>, and that Botnet in my 
server tagged with:

BOTNET=5,     BOTNET_CLIENT=0.01, BOTNET_IPINHOSTNAME=0.01

The only matching rule seems to be coming from botnet_ipinhostname()

Reverse DNS is OK.

Could somebody tell what could have triggered the rule ? if the 0 (zero) 
in the mx0 hostname , or the fact that they use the same server for 
incoming or outgoing relay ? or maybe anything else I should look at ?

Thank you,

/Carlos


John Rudd wrote:

> René Berber wrote:
>
>> John Rudd wrote:
>> [snip]
>>
>>> It can be downloaded from:
>>>
>>>  http://people.ucsc.edu/~jrudd/spamassassin/Botnet.tar
>>>
>>> As usual, feedback, statistics, bug reports, feature suggestions, are
>>> all welcome.
>>
>> [snip]
>>
>> Botnet 0.6 causes a timeout while MA is running SA on a DSN message.
>>
>
> It looks to me like it's not being caused by a DSN message, it's that 
> the IP doesn't have a PTR record, and your mail server has rather slow 
> DNS.  Do you have a caching DNS server on your mail server, by chance?
>

Re: Botnet question

Posted by John Rudd <jr...@ucsc.edu>.

Hm.  I don't see anything wrong with that domain.  I'll look into it.


Carlos Horowicz wrote:
> Hi John,
> 
> the IP Address is  64.76.24.252 and the domain is comintec.net  , Botnet 
> version is 0.6 under SA 3.1.7
> 
> THanks,
> 
> -Carlos
> 
> 
> John Rudd wrote:
> 
>>
>> I would have to know the IP address of the relay in order to give a 
>> meaningful answer.  Just the 0 shouldn't have been enough.  Though, if 
>> one of the octets is 0, and you're using an older version of botnet, 
>> it might have matched that one octet twice.  That's a bug I'm pretty 
>> sure I fixed in 0.6.
>>
>>
>>
>> Carlos Horowicz wrote:
>>
>>> Hi list,
>>>
>>> I came across an e-mail originating at a customer domain hosted in a 
>>> dedicated server provided by my company, whose outgoing relay and 
>>> incoming MX are the same, namely mx0.<domain>, and that Botnet in my 
>>> server tagged with:
>>>
>>> BOTNET=5,     BOTNET_CLIENT=0.01, BOTNET_IPINHOSTNAME=0.01
>>>
>>> The only matching rule seems to be coming from botnet_ipinhostname()
>>>
>>> Reverse DNS is OK.
>>>
>>> Could somebody tell what could have triggered the rule ? if the 0 
>>> (zero) in the mx0 hostname , or the fact that they use the same 
>>> server for incoming or outgoing relay ? or maybe anything else I 
>>> should look at ?
>>>
>>> Thank you,
>>>
>>> /Carlos
>>>
>>>
>>> John Rudd wrote:
>>>
>>>> René Berber wrote:
>>>>
>>>>> John Rudd wrote:
>>>>> [snip]
>>>>>
>>>>>> It can be downloaded from:
>>>>>>
>>>>>>  http://people.ucsc.edu/~jrudd/spamassassin/Botnet.tar
>>>>>>
>>>>>> As usual, feedback, statistics, bug reports, feature suggestions, are
>>>>>> all welcome.
>>>>>
>>>>>
>>>>> [snip]
>>>>>
>>>>> Botnet 0.6 causes a timeout while MA is running SA on a DSN message.
>>>>>
>>>>
>>>> It looks to me like it's not being caused by a DSN message, it's 
>>>> that the IP doesn't have a PTR record, and your mail server has 
>>>> rather slow DNS.  Do you have a caching DNS server on your mail 
>>>> server, by chance?
>>>>

Re: Botnet question

Posted by Carlos Horowicz <ca...@infodrive.com.ar>.

Hi John,

the IP Address is  64.76.24.252 and the domain is comintec.net  , Botnet 
version is 0.6 under SA 3.1.7

THanks,

-Carlos


John Rudd wrote:

>
> I would have to know the IP address of the relay in order to give a 
> meaningful answer.  Just the 0 shouldn't have been enough.  Though, if 
> one of the octets is 0, and you're using an older version of botnet, 
> it might have matched that one octet twice.  That's a bug I'm pretty 
> sure I fixed in 0.6.
>
>
>
> Carlos Horowicz wrote:
>
>> Hi list,
>>
>> I came across an e-mail originating at a customer domain hosted in a 
>> dedicated server provided by my company, whose outgoing relay and 
>> incoming MX are the same, namely mx0.<domain>, and that Botnet in my 
>> server tagged with:
>>
>> BOTNET=5,     BOTNET_CLIENT=0.01, BOTNET_IPINHOSTNAME=0.01
>>
>> The only matching rule seems to be coming from botnet_ipinhostname()
>>
>> Reverse DNS is OK.
>>
>> Could somebody tell what could have triggered the rule ? if the 0 
>> (zero) in the mx0 hostname , or the fact that they use the same 
>> server for incoming or outgoing relay ? or maybe anything else I 
>> should look at ?
>>
>> Thank you,
>>
>> /Carlos
>>
>>
>> John Rudd wrote:
>>
>>> René Berber wrote:
>>>
>>>> John Rudd wrote:
>>>> [snip]
>>>>
>>>>> It can be downloaded from:
>>>>>
>>>>>  http://people.ucsc.edu/~jrudd/spamassassin/Botnet.tar
>>>>>
>>>>> As usual, feedback, statistics, bug reports, feature suggestions, are
>>>>> all welcome.
>>>>
>>>>
>>>> [snip]
>>>>
>>>> Botnet 0.6 causes a timeout while MA is running SA on a DSN message.
>>>>
>>>
>>> It looks to me like it's not being caused by a DSN message, it's 
>>> that the IP doesn't have a PTR record, and your mail server has 
>>> rather slow DNS.  Do you have a caching DNS server on your mail 
>>> server, by chance?
>>>

Re: Botnet question

Posted by John Rudd <jr...@ucsc.edu>.

I would have to know the IP address of the relay in order to give a 
meaningful answer.  Just the 0 shouldn't have been enough.  Though, if 
one of the octets is 0, and you're using an older version of botnet, it 
might have matched that one octet twice.  That's a bug I'm pretty sure I 
fixed in 0.6.



Carlos Horowicz wrote:
> Hi list,
> 
> I came across an e-mail originating at a customer domain hosted in a 
> dedicated server provided by my company, whose outgoing relay and 
> incoming MX are the same, namely mx0.<domain>, and that Botnet in my 
> server tagged with:
> 
> BOTNET=5,     BOTNET_CLIENT=0.01, BOTNET_IPINHOSTNAME=0.01
> 
> The only matching rule seems to be coming from botnet_ipinhostname()
> 
> Reverse DNS is OK.
> 
> Could somebody tell what could have triggered the rule ? if the 0 (zero) 
> in the mx0 hostname , or the fact that they use the same server for 
> incoming or outgoing relay ? or maybe anything else I should look at ?
> 
> Thank you,
> 
> /Carlos
> 
> 
> John Rudd wrote:
> 
>> René Berber wrote:
>>
>>> John Rudd wrote:
>>> [snip]
>>>
>>>> It can be downloaded from:
>>>>
>>>>  http://people.ucsc.edu/~jrudd/spamassassin/Botnet.tar
>>>>
>>>> As usual, feedback, statistics, bug reports, feature suggestions, are
>>>> all welcome.
>>>
>>> [snip]
>>>
>>> Botnet 0.6 causes a timeout while MA is running SA on a DSN message.
>>>
>>
>> It looks to me like it's not being caused by a DSN message, it's that 
>> the IP doesn't have a PTR record, and your mail server has rather slow 
>> DNS.  Do you have a caching DNS server on your mail server, by chance?
>>