On Sat, 27 Jan 2007 20:33:41 -0800 John Rudd <[EMAIL PROTECTED]> wrote:
> Josh Trutwin wrote: > > On Sat, 27 Jan 2007 17:08:44 -0800 > > John Rudd <[EMAIL PROTECTED]> wrote: > > > >> Thomas Bolioli wrote: > >>> > >>> Yeah, this is the problem with the Botnet ruleset. I had to stop > >>> using it. It assumes that one IP, one domain with regards to > >>> mail. If your mail server handles multiple domains, whichever > >>> domain the rDNS points to will be fine. Any others will fire > >>> off. > >> That's not even close to true (the assumptions nor the results). > >> > >> If rDNS and DNS are properly set up for the machine, then it wont > >> matter what virtual domains are hosted on the system. As long as > >> the rDNS leads back to a valid DNS record, which leads back to > >> the same IP, it wont matter if that rDNS machines that mail > >> domain, a different mail domain, or no mail domain at all. > > > > Hmm - in my case my rDNS setup seems ok though except for the fact > > that 2 octets are in my ptr record which I'll be fixing tonight. > > But that's not the rule I was tripping. Here's another example > > from a test email sent from one of my virtual domains netbits.us: > > > > 5.0 BOTNET Relay might be a spambot or virusbot > > > > [botnet0.7,ip=209.18.107.89,hostname=netbits.us,maildomain=netbits.us,baddns] > > > > <snip> > > > >> If you think there is a case where Botnet breaks down for > >> multiple/virtual mail domains, where DNS and rDNS are properly > >> set up, put your money where your mouth is and give a real world > >> example. Give the IP address(es), and the mail domains that go > >> with them that you think will have a problem. > > > > Personally, I like Botnet, but it does seem like I have a real > > world example where my rDNS is setup fine. Unless I missed > > something? > > > > % host 209.18.107.89 > 89.107.18.209.in-addr.arpa domain name pointer > ptr-20989.fastconcepts.net. > > % host ptr-20989.fastconcepts.net > Host ptr-20989.fastconcepts.net not found: 3(NXDOMAIN) > > > That would seem to me to indicate that "baddns" is valid. It may > be that from some angles/locations/servers, the forward DNS for > fastconcepts.net isn't working properly. Or at least not for > ptr-20989.fastconcepts.net. > > (and, I think ipshostname isn't triggering for it because in 0.7 it > only looks at consecutive octets) John, My ISP didn't do my rDNS change so it's back to the way it was when I originally posted this thread. Does it still look wrong? # host 209.18.107.89 89.107.18.209.in-addr.arpa domain name pointer ptr-20989.fastconcepts.net. # host ptr-20989.fastconcepts.net ptr-20989.fastconcepts.net has address 209.18.107. Josh
