Botnet keeps tripping

This might be very simple, but Botnet keeps triggering on a local  
school district. I THOUGHT that I added it to the pass_domains list  
correctly.

Help!

Botnet.cf has the following in it:

botnet_pass_domains             amazon\.com # they use IP in Hostname;  
dorks
botnet_pass_domains             apple\.com  # special test case
botnet_pass_domains             ebay\.com   # pool in hostname
botnet_pass_domains             nisdtx\.org  # Northwest ISD
botnet_pass_domains             ntta\.org       # NTTA


The headers that keep getting tripped:

Received: from localhost (localhost [127.0.0.1])
        by heap.pbp.net (Postfix) with ESMTP id 76927E41E6
        for <jnichols@...>; Tue,  3 Nov 2009 15:35:26 -0600 (CST)
X-Virus-Scanned: amavisd-new at heap.pbp.net
X-Spam-Flag: NO
X-Spam-Score: 5.743
X-Spam-Level: *****
X-Spam-Status: No, score=5.743 tagged_above=-999 required=6  
tests=[AWL=-0.313,
        BAYES_00=-2.599, BOTNET=5, HTML_MESSAGE=0.001,
        HTML_MIME_NO_HTML_TAG=0.097, MIME_HTML_ONLY=1.457, RCVD_IN_BNBL=2,
        RDNS_NONE=0.1]
Received: from heap.pbp.net ([127.0.0.1])
        by localhost (heap.pbp.net [127.0.0.1]) (amavisd-new, port 10024)
        with ESMTP id S3FCL7keoDvd for <jnichols@...>;
        Tue,  3 Nov 2009 15:35:20 -0600 (CST)
Received: from mail.nisdtx.org (unknown [70.129.99.5])
        by heap.pbp.net (Postfix) with ESMTP id D58E8E41E4
        for <jnichols@...>; Tue,  3 Nov 2009 15:35:20 -0600 (CST)
Received: from espapp01.nisdtx.org ([10.111.9.24])
        by mail.nisdtx.org with ESMTP; Tue, 03 Nov 2009 15:35:18 -0600
Received: from espapp01 ([10.111.9.24]) by espapp01.nisdtx.org with  
Microsoft SMTPSVC(6.0.3790.3959);
         Tue, 3 Nov 2009 15:35:17 -0600
MIME-Version: 1.0

On Thu, 5 Nov 2009 19:39:10 -0600
Jonathan Nichols <jnichols@...> wrote:

> This might be very simple, but Botnet keeps triggering on a local  
> school district. I THOUGHT that I added it to the pass_domains list  
> correctly.

I'm not 100% sure, but I think the issue is that it hits BOTNET because
mail.nisdtx.org has no reverse DNS, and BOTNET uses reverse DNS for
checking pass_domains. The mail.nisdtx.org in the headers is just a
helo, so there's no real evidence for nisdtx.org anywhere in the
headers. The plugin could do its own A-record lookup on mail.nisdtx.org
and verify it against the IP address, but I guess it doesn't.

I suppose you'll have to use the IP address instead. You might also
consider using the SOHO exclusion, which I think might have eliminated
this FP.

i.e. replace the BOTNET definition with

meta  BOTNET  ( ! BOTNET_SOHO  && (BOTNET_CLIENT || BOTNET_BADDNS || BOTNET_NORDNS) )

On Fri, 6 Nov 2009 03:28:40 +0000
RW <rwmaillists@...> wrote:


>                              The mail.nisdtx.org in the headers is
> just a helo, so there's no real evidence for nisdtx.org anywhere in
> the headers. The plugin could do its own A-record lookup on
> mail.nisdtx.org and verify it against the IP address, but I guess it
> doesn't.
>

Actually even if it does, there's a mismatch    

Received: from mail.nisdtx.org (unknown [70.129.99.5])


dig +short mail.nisdtx.org
70.129.99.3

yeah, RW pretty much hit this one on the head.  You're going to need
to exempt it by IP, not by domain name.

On Thu, Nov 5, 2009 at 19:56, RW <rwmaillists@...> wrote:

D'oh. I didn't catch that one.

Thanks guys.. I'll allow it by IP.. and hopefully get in touch with  
the admin to fix their broken DNS.

:D


On Nov 5, 2009, at 11:41 PM, John Rudd wrote: