You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Carlos Horowicz <ca...@infodrive.com.ar> on 2006/12/14 00:58:00 UTC
Botnet question
Hi list,
I came across an e-mail originating at a customer domain hosted in a
dedicated server provided by my company, whose outgoing relay and
incoming MX are the same, namely mx0.<domain>, and that Botnet in my
server tagged with:
BOTNET=5, BOTNET_CLIENT=0.01, BOTNET_IPINHOSTNAME=0.01
The only matching rule seems to be coming from botnet_ipinhostname()
Reverse DNS is OK.
Could somebody tell what could have triggered the rule ? if the 0 (zero)
in the mx0 hostname , or the fact that they use the same server for
incoming or outgoing relay ? or maybe anything else I should look at ?
Thank you,
/Carlos
John Rudd wrote:
> René Berber wrote:
>
>> John Rudd wrote:
>> [snip]
>>
>>> It can be downloaded from:
>>>
>>> http://people.ucsc.edu/~jrudd/spamassassin/Botnet.tar
>>>
>>> As usual, feedback, statistics, bug reports, feature suggestions, are
>>> all welcome.
>>
>> [snip]
>>
>> Botnet 0.6 causes a timeout while MA is running SA on a DSN message.
>>
>
> It looks to me like it's not being caused by a DSN message, it's that
> the IP doesn't have a PTR record, and your mail server has rather slow
> DNS. Do you have a caching DNS server on your mail server, by chance?
>
Re: Botnet question
Posted by John Rudd <jr...@ucsc.edu>.
Hm. I don't see anything wrong with that domain. I'll look into it.
Carlos Horowicz wrote:
> Hi John,
>
> the IP Address is 64.76.24.252 and the domain is comintec.net , Botnet
> version is 0.6 under SA 3.1.7
>
> THanks,
>
> -Carlos
>
>
> John Rudd wrote:
>
>>
>> I would have to know the IP address of the relay in order to give a
>> meaningful answer. Just the 0 shouldn't have been enough. Though, if
>> one of the octets is 0, and you're using an older version of botnet,
>> it might have matched that one octet twice. That's a bug I'm pretty
>> sure I fixed in 0.6.
>>
>>
>>
>> Carlos Horowicz wrote:
>>
>>> Hi list,
>>>
>>> I came across an e-mail originating at a customer domain hosted in a
>>> dedicated server provided by my company, whose outgoing relay and
>>> incoming MX are the same, namely mx0.<domain>, and that Botnet in my
>>> server tagged with:
>>>
>>> BOTNET=5, BOTNET_CLIENT=0.01, BOTNET_IPINHOSTNAME=0.01
>>>
>>> The only matching rule seems to be coming from botnet_ipinhostname()
>>>
>>> Reverse DNS is OK.
>>>
>>> Could somebody tell what could have triggered the rule ? if the 0
>>> (zero) in the mx0 hostname , or the fact that they use the same
>>> server for incoming or outgoing relay ? or maybe anything else I
>>> should look at ?
>>>
>>> Thank you,
>>>
>>> /Carlos
>>>
>>>
>>> John Rudd wrote:
>>>
>>>> René Berber wrote:
>>>>
>>>>> John Rudd wrote:
>>>>> [snip]
>>>>>
>>>>>> It can be downloaded from:
>>>>>>
>>>>>> http://people.ucsc.edu/~jrudd/spamassassin/Botnet.tar
>>>>>>
>>>>>> As usual, feedback, statistics, bug reports, feature suggestions, are
>>>>>> all welcome.
>>>>>
>>>>>
>>>>> [snip]
>>>>>
>>>>> Botnet 0.6 causes a timeout while MA is running SA on a DSN message.
>>>>>
>>>>
>>>> It looks to me like it's not being caused by a DSN message, it's
>>>> that the IP doesn't have a PTR record, and your mail server has
>>>> rather slow DNS. Do you have a caching DNS server on your mail
>>>> server, by chance?
>>>>
Re: Botnet question
Posted by Carlos Horowicz <ca...@infodrive.com.ar>.
Hi John,
the IP Address is 64.76.24.252 and the domain is comintec.net , Botnet
version is 0.6 under SA 3.1.7
THanks,
-Carlos
John Rudd wrote:
>
> I would have to know the IP address of the relay in order to give a
> meaningful answer. Just the 0 shouldn't have been enough. Though, if
> one of the octets is 0, and you're using an older version of botnet,
> it might have matched that one octet twice. That's a bug I'm pretty
> sure I fixed in 0.6.
>
>
>
> Carlos Horowicz wrote:
>
>> Hi list,
>>
>> I came across an e-mail originating at a customer domain hosted in a
>> dedicated server provided by my company, whose outgoing relay and
>> incoming MX are the same, namely mx0.<domain>, and that Botnet in my
>> server tagged with:
>>
>> BOTNET=5, BOTNET_CLIENT=0.01, BOTNET_IPINHOSTNAME=0.01
>>
>> The only matching rule seems to be coming from botnet_ipinhostname()
>>
>> Reverse DNS is OK.
>>
>> Could somebody tell what could have triggered the rule ? if the 0
>> (zero) in the mx0 hostname , or the fact that they use the same
>> server for incoming or outgoing relay ? or maybe anything else I
>> should look at ?
>>
>> Thank you,
>>
>> /Carlos
>>
>>
>> John Rudd wrote:
>>
>>> René Berber wrote:
>>>
>>>> John Rudd wrote:
>>>> [snip]
>>>>
>>>>> It can be downloaded from:
>>>>>
>>>>> http://people.ucsc.edu/~jrudd/spamassassin/Botnet.tar
>>>>>
>>>>> As usual, feedback, statistics, bug reports, feature suggestions, are
>>>>> all welcome.
>>>>
>>>>
>>>> [snip]
>>>>
>>>> Botnet 0.6 causes a timeout while MA is running SA on a DSN message.
>>>>
>>>
>>> It looks to me like it's not being caused by a DSN message, it's
>>> that the IP doesn't have a PTR record, and your mail server has
>>> rather slow DNS. Do you have a caching DNS server on your mail
>>> server, by chance?
>>>
Re: Botnet question
Posted by John Rudd <jr...@ucsc.edu>.
I would have to know the IP address of the relay in order to give a
meaningful answer. Just the 0 shouldn't have been enough. Though, if
one of the octets is 0, and you're using an older version of botnet, it
might have matched that one octet twice. That's a bug I'm pretty sure I
fixed in 0.6.
Carlos Horowicz wrote:
> Hi list,
>
> I came across an e-mail originating at a customer domain hosted in a
> dedicated server provided by my company, whose outgoing relay and
> incoming MX are the same, namely mx0.<domain>, and that Botnet in my
> server tagged with:
>
> BOTNET=5, BOTNET_CLIENT=0.01, BOTNET_IPINHOSTNAME=0.01
>
> The only matching rule seems to be coming from botnet_ipinhostname()
>
> Reverse DNS is OK.
>
> Could somebody tell what could have triggered the rule ? if the 0 (zero)
> in the mx0 hostname , or the fact that they use the same server for
> incoming or outgoing relay ? or maybe anything else I should look at ?
>
> Thank you,
>
> /Carlos
>
>
> John Rudd wrote:
>
>> René Berber wrote:
>>
>>> John Rudd wrote:
>>> [snip]
>>>
>>>> It can be downloaded from:
>>>>
>>>> http://people.ucsc.edu/~jrudd/spamassassin/Botnet.tar
>>>>
>>>> As usual, feedback, statistics, bug reports, feature suggestions, are
>>>> all welcome.
>>>
>>> [snip]
>>>
>>> Botnet 0.6 causes a timeout while MA is running SA on a DSN message.
>>>
>>
>> It looks to me like it's not being caused by a DSN message, it's that
>> the IP doesn't have a PTR record, and your mail server has rather slow
>> DNS. Do you have a caching DNS server on your mail server, by chance?
>>