Thanks for yet _more_ confirmation. However, if botnet is depending on DNS
pulling the "right" stuff, and someone's DNS is pulling the "wrong" stuff,
then it still could be botnet; just not directly.

"right": follow the CNAME to get a PTR
"wrong": return the CNAME as an answer.

I'm trying to get my provider to change the mailer's in-addr records to PTR
and leave the other 59 as CNAMES to my DNS server. If that works, then the
problem might go away. If they won't/can't do that, I don't know what else
to try. I guess I could go through all the hassle of having my rDNS remoted.
Sure sounds like a pain. It would _really_ be a pain if it didn't work!

Dan Barker

-----Original Message-----
From: John Rudd []
Sent: Tuesday, June 12, 2007 1:25 PM
To: Dan Barker
Cc: 'Spamassassin'
Subject: Re: DUL Lists? - OT

Dan Barker wrote:
> I'm receiving a lot of 421 rejects with:
> Unexpected connection response from server:
> 421 mails from refused: local dynamic IP address

In case there's any doubt about whether or not the Botnet plugin tripped up
on the PTR record situation (and someone used that as a basis for a
tempfail), here's the output of for that IP address:

% Botnet Version = 0.8 checking IP
BOTNET_NORDNS: not hit -
BOTNET_BADDNS: not hit - hostname resolves back to ip
BOTNET_SERVERWORDS: hit, matches=mail
BOTNET_CLIENT (meta) not hit
BOTNET_CLIENT (code) not hit, tests=none
BOTNET_SOHO: not hit
BOTNET (meta) not hit
BOTNET (code) not hit, tests=none

a) Botnet wasn't mislead by the PTR alias
b) None of the Botnet tests flagged this as a Botnet (the one hit was for
"server words" which would have helped you, not hurt you).