On Tue, 28 Nov 2006, John Rudd wrote: > >> Received: from smtp-out-4101.amazon.com (207-171-180-184.amazon.com > >> [207.171.180.184]) > >> by XXX (8.11.6/8.11.6) with ESMTP id kAS2XrV04185 > >> for <XXX>; Mon, 27 Nov 2006 21:33:53 -0500 > > > > This was ugly, but you could put "amazon\.com" in botnet_serverwords to > > avoid it. > > That one wont work, because the regex doesn't look at "the registered > domain + tld" (ie. amazon.com). Adding "amazon\.com" to > botnet_serverwords would exempt "amazon.com.amazon.com" but not > "*.amazon.com". > > The only way to exempt the amazon one would be to: > > a) have me add a "domains to exempt" config, which means anyone who puts > that as the domain in their PTR record can abuse it (but it might be > worth it, as it would have to be done by the person who controls the > RDNS for that host, and thus is still out of the reach of the botnet hacker) > > b) add that IP address, or IP address block (don't know how many of the > related IP addresses are owned by amazon or ebay) to botnet_pass_ip.
I like the idea of a "domains to exempt" config item, as it's easy to use, and allows simple "whitelisting" of major companies such as Amazon, ebay, paypal, apple, ibm, etc... As you mentioned, this is a botnet catching tool, so the reverse PTR trick is for other means of spam detection. :) Rob
