Thanks for yet _more_ confirmation. However, if botnet is depending on DNS
pulling the "right" stuff, and someone's DNS is pulling the "wrong" stuff,
then it still could be botnet; just not directly.

Definitions:
"right": follow the CNAME to get a PTR
"wrong": return the CNAME as an answer.

I'm trying to get my provider to change the mailer's in-addr records to PTR
and leave the other 59 as CNAMES to my DNS server. If that works, then the
problem might go away. If they won't/can't do that, I don't know what else
to try. I guess I could go through all the hassle of having my rDNS remoted.
Sure sounds like a pain. It would _really_ be a pain if it didn't work!

Dan Barker



-----Original Message-----
From: John Rudd [mailto:jrudd@ucsc.edu]
Sent: Tuesday, June 12, 2007 1:25 PM
To: Dan Barker
Cc: 'Spamassassin'
Subject: Re: DUL Lists? - OT

Dan Barker wrote:
> I'm receiving a lot of 421 rejects with:
>
> Unexpected connection response from server:
> 421 mails from 74.254.46.133 refused: local dynamic IP address
> 74.254.46.133"
>


In case there's any doubt about whether or not the Botnet plugin tripped up
on the PTR record situation (and someone used that as a basis for a
tempfail), here's the output of Botnet.pl for that IP address:


% Botnet.pl 74.254.46.133 visioncomm.net Botnet Version = 0.8 checking IP
address: 74.254.46.133
BOTNET_NORDNS: not hit - mail.visioncomm.net
BOTNET_BADDNS: not hit - hostname resolves back to ip
BOTNET_IPINHOSTNAME: not hit
BOTNET_CLIENTWORDS: not hit
BOTNET_SERVERWORDS: hit, matches=mail
BOTNET_CLIENT (meta) not hit
BOTNET_CLIENT (code) not hit, tests=none
BOTNET_SOHO: not hit
BOTNET (meta) not hit
BOTNET (code) not hit, tests=none




So:
a) Botnet wasn't mislead by the PTR alias
b) None of the Botnet tests flagged this as a Botnet (the one hit was for
"server words" which would have helped you, not hurt you).