On Mon, 2017-05-08 at 18:44 -0500, David B Funk wrote: > On Mon, 8 May 2017, John Hardin wrote: > > > On Mon, 8 May 2017, Chris wrote: > > > >> I get various posts from US-CERT none so far have been tagged as > spam > >> until today. The raw message with the SA tags is here - https://pa > stebi > >> n.com/f71A2FfW What it hit on was: > >> > >> pts rule name description > >> ---- ---------------------- -------------------------------------- > --- > >> 5.0 BOTNET Relay might be a spambot or virusbot > >> [botnet0.8,ip=208.42.190.173,maildomain=ncas.us- > >> cert.gov,nordns] > > > > That's a bit worrying. > > > > ...but that looks like a local rule, I can't find "BOTNET" by > itself as a > > rule in SVN. Is it local? How is it defined? > > > [snip..] > > > How did ncas.us-cert.gov get classified as a botnet host? > > > > "Botnet" is a SA plugin that was written several years ago by John > Rudd which > tries to look for spammyness clues derived from the DNS/hostname of > the > first untrusted relay. From the source code comments: > > # Botnet - perform DNS validations on the first untrusted relay > # looking for signs of a Botnet infected host, such as no reverse > # DNS, a hostname that would indicate an ISP client or domain > # workstation, or other hosts that aren't intended to be acting as > # a direct mail submitter outside of their own domain. > > One of its heurisitcs is to look for signs of the IP address embedded > in the > hostname (EG looking for things like "client- > 201.240.187.107.speedy.net.pe") > as a sign of an infected PC doing direct mail delivery. > > This fired on the host name of that site: > mailer190173.service.govdelivery.com > because part of its IP address [208.42.190.173] was found in the > name. > > Years ago I dropped the default Botnet score (5.0) way down because > of FPs like > this. > > I'd be concerned with what caused the DKIM signature to fail > validation. > (DKIM_SIGNED, T_DKIM_INVALID). > If something in the mail chain is breaking DKIM validation then > attempts to use > things like whitelist_auth are doomed to failure. > David and others, thank you for the replies. I've lowered the score for Botnet down to 1.0, may go lower if it continues to cause problems or just get rid of it. I've added this to my whitelist.cf:
whitelist_auth *@*.us-cert.gov us-cert.gov I guess this rule hit is something that can't be avoided. I guess I could lower the score but then that would defeat the purpose of the rule. 5.5 KAM_STOCKTIP Email Contains Pump & Dump Stock Tip -- Chris KeyID 0xE372A7DA98E6705C 31.11972; -97.90167 (Elev. 1092 ft) 19:45:59 up 7 days, 2:29, 1 user, load average: 0.39, 0.34, 0.28 Description: Ubuntu 16.04.2 LTS, kernel 4.4.0-77-generic
signature.asc
Description: This is a digitally signed message part
